La présentation est en train de télécharger. S'il vous plaît, attendez

La présentation est en train de télécharger. S'il vous plaît, attendez

Gilles Clugnac Consulting System Engineer

Présentations similaires


Présentation au sujet: "Gilles Clugnac Consulting System Engineer"— Transcription de la présentation:

1 Gilles Clugnac Consulting System Engineer gclugnac@cisco.com
Réseaux de Campus Gilles Clugnac Consulting System Engineer

2 Impératifs d’activité aujourd’hui: Intéractions Temps-Réel
INTERACTIONS TRANSACTIONS PRODUCTION Business models have changed over the last several decades: 60-80s – command and control 90-03s – core/context 03 – future – real time enterprise With each change, there has been a corresponding change in the IT infrastructure. We have seen this evolution occur in three corresponding changes: production  transactions  interactions. Today, to respond to the flattening of the world businesses must evolve the way they interact with their value chain and move to a world of interactions. Interactions: …are about connections, adding value in the exchange of information for your customers and value chain …bring people together with the information they need to make decisions more rapidly Real-time businesses enabled by interactions can… …sense opportunities and problems faster and responds to them faster and more precisely …compete by removing slack in sharing information and executing business processes/decisions rapidly (internally, and with customers and suppliers). …fuel further productivity gains, higher customer satisfaction/loyalty. Rapide Très rapide Temps réel

3 Préoccupations des DSI Etude IDC 2006
Alignement du système d’information sur la stratégie [27%] Réactivité du système d’information [23%] Réduction des coûts [18%] [Build slide- each build brings in the agenda blocks one at a time] Last year CIO’s were most concerned with device up-times and security. This year we’re seeing the concerns of CIOs and the IT group in general evolving because they have more control over the basic functionality of their network (security, resilience, etc). They’re concerned with the business impact of IT. How can IT change or improve business processes for the company? Examples of this would be how can IT improve the customer relations in a retail store or allow medical staff more rapid mobility through a hospital while providing the latest patient record to eliminate medical errors? This is the type of thing that they’re trying to improve with the network: Business process. [Click] Business Processes used to be defined exclusively by other leaders in the organization and simply handed down to the CIO or CTO, now these officers need to be involved in the planning process for they know that the IT network can improve the functionality and effectiveness of new applications and services that will drive business processes. An example we have seen in real life is an prescription tracking system in a hospital. The original design was to simply have it web based to be accessed at nursing station or doctors office. However the CTO was able to intercede early enough and with slight modifications to the software, made it useable on the Cisco IP phones located throughout the hospital, on portable PDAs that doctors and other staff carry as well as the original desktop computers, making the system that much more available and useful. Just as any business has to evolve it’s processes over time to address new needs and opportunities, IT has to rapidly evolve to support those new processes. In many cases, technical advances in IT, will open the door for new process that will streamline effectiveness and productivity in different areas of the business. Now, the network is the optimal place to address many of these business processes because it’s ubiquitous and touches everything, from telephony to applications, from servers to clients. Investment in an intelligent network, is an investment in the business. Quels sont les objectifs privilégiés par la direction des systèmes d’information de votre organisation?

4 Convergence des réseaux
We are now right in the middle of this convergence revolution.  These four separate networks are converging over time onto the IP data network.  Voice is becoming packets on the IP network with VoIP technology—one of Cisco's highest technology priorities. IP video is bringing video onto our PCs and IP networks as we speak—with video on demand, company event broadcasts, videoconferencing, and security camera video being used by thousands of companies today. And new technologies like iSCSI pioneered by Cisco are allowing IP networks to also connect computer systems to storage systems located anywhere in the world. And by eliminating the need for separate networks, organizations can not only save tremendous costs and simplify their IT infrastructures, a new world of applications are emerging that allow for the integration of data, voice, and video datatypes.

5 Une adoption qui s’accélère: l’innovation se fait sur IP
Marché mondial entreprise voix Total Market $Bn Téléphonie IP d’entreprise TDM / PBX Source: Synergy Research

6 Communications Unifiées
Structure et donne de la valeur dans tous les secteurs des communications professionnelles Process Business Productivité Transformation Business Sécurisé Vidéo / Calendrier Mobilité Conférence et Collaboration Unlike standalone solutions and point products, Cisco Unified Communications integrates it all—voice, video, mobility and data—adding structure and intelligence to every aspect of business communications. Integrated applications include secure IP communications, collaboration, unified messaging, mobility, video and rich-media conferencing, and virtual contact centers that integrate databases and workflow applications with advanced contact center capabilities. So when a customer calls in, they’re instantly matched with the most appropriate contact center agent who has access to all pertinent customer information. According to AMR Research, companies using virtual contact centers increase productivity by 15 percent and save an estimated one million dollars per 100 call center agents. In addition, annual agent turnover decreases, falling from 60 percent to only 5 percent. Cisco gives you voice plus the NETWORK and network applications: Cisco Unified Communications securely integrates voice, video, , web and collaborative applications, federated presence, instant messaging, mobility, voice & unified messaging and others coming together in a robust, secure environment. This system takes full advantage of all of the power, resilience, and flexibility of an organization’s IP network. With Cisco Unified Communications, you can make the leap from ‘piecemeal stand alones’ to an integrated communication strategy. Best of all, your employees get the access you need them to have to be more productive. A few examples of our complete solution that we’ll describe a bit more fully in this presentation: Cisco Unity delivers , voice and fax messages managed from a single inbox – you can answer a voice mail w/ and or vice-versa! Cisco Unified MeetingPlace is a voice, video and web conferencing solution that integrates with an organization's internal voice and data networks and collaborative applications. If you have a web browser and a phone, you can meet anywhere! Cisco Unified Video telephony enables real-time, person-to-person video sessions to be transparently added to telephone calls and conferences Réseau IP Voix et Messagerie Unifiée Terminaux Presence et Messagerie Instantanée Services téléphoniques Centre de contact 6

7 Facteurs de changement dans l’entreprise
Humain Réseau Professionnel Utilisateur Entreprenant Information Virtualisée Entreprise sans frontière Innovation Personalisation Aussi consommateur Massivement distribuée Self-service Services IT de pointe Business temps réel Télétravail Interactions “La nouvelle génération des utilisateurs demande un environnement de travail hautement intéractif, fortement connecté et contextuel qui puisse les suivre partout et tout le temps.” - Forrester 7 7

8 Un environnement IT complexe
Résilience et Conformité Contrôle des coûts Gestion de l’Information Information Lifecycle Management Tiered Storage Accès à l’information Classification des données Enterprise Data Center Internet Data Center Public Web Site 100s of Servers with Integrated Storage E-Commerce Application 4-Tier Application App. Server Supply-Chain Management Traditional Voice PBX In-House Developed Apps 2-Tier CRM Application NCR DB Server Data Warehousing Finance, HR, Payroll and EDI Mainframe Systems Tape Backup Multiple 2-Tier ERP Instances Engineering Services NAS Filers Appliances IP Services DNS RADIUS LDAP JBOD Operations Center Conformité Automatisation Virtualisation Business Continuance Sécurité Consolidation Operational Risk Management On-Demand, Utility Infrastructure Enterprise Data Center Internet Data Center Public Web Site 100s of Servers with Integrated Storage E-Commerce Application 4-Tier Application App. Server Supply-Chain Management Traditional Voice PBX In-House Developed Apps 2-Tier CRM Application NCR DB Server Data Warehousing Finance, HR, Payroll and EDI Mainframe Systems Tape Backup Multiple 2-Tier ERP Instances Engineering Services NAS Filers Appliances IP Services DNS RADIUS LDAP JBOD Operations Center Contrat de Service applicatif Agilité de l’entreprise So how does this infrastructure support the key IT challenges and objectives today and moving forward? How does it support the continued need to control costs, while at the same time being more responsive to growth and change within the business. How does it continue to meet and exceed application service levels, while keeping resources flat and while also rolling out new applications? How does it meet new regulation requirements? And how does it allow companies to address the growing challenge of managing the business’ information in a way that allows that information to be used and leveraged most effectively and without drowning in the exponential growth of data? Clearly the current infrastructure model needs to evolve to meet these challenges. Agilité Performance Intégration applicative Disponibilité Croissance Application Awareness and Optimization Service Oriented Architecture Infrastructure Actuelle

9 Le réseau est la plate-forme
Convergence des Technologies de l’Information et des Communications dans le réseau Grand Public Opérateur Entreprise PME IP IP IP IP IP Données Priorité Transcodage Personnalisation Localisation Optimisation Accélération Sécurité The network is where many of the key services reside that enable customers to do all the things they want and expect to be able to do today. With the network as a platform for all communications and IT, these are converged across our entire customer base. Our vision goes beyond adding data, voice, video and mobility into every market segment because no user is ever in only one of those environments. We’re leading integrated lives and we’re both workers and consumers, operating in both fixed and mobile environments, all the time. So the move is to a world where standardization and customization happens at the same time - from specialization of technology, devices, networks, to full convergence where these things are capable of multiple different ways of interacting. So, the Cisco vision is really about delivering information, communications, and entertainment in a way that frees up the user. Anytime, anywhere, on any media, you have access to them and at the quality level you expect. Network platforms are more than the sum of their parts, as platforms enable people to create things never imagined by their builders. But few platforms scale to truly strategic proportions. Internet Protocol (IP) and HTML are two that do. What network as a platform means to Cisco is that we believe in the future all forms of communications (Data/Voice/Video Collaboration, Entertainment, etc.) will traverse the IP network. Cisco's role is to continue driving intelligent features and capabilities onto the network infrastructure so that future networks can support both media rich applications and scale to user demand. Cisco’s two decades of expertise in IP and our history of building intelligence into the network are why we are so strongly positioned to be the technology leader today and in the future. Voix Video Information Communications Loisirs Collaboration Mobilité Le réseau est la plate-forme 9

10 Approche modulaire Architectures de bout-en-bout
Networked Infrastructure Layer Network Areas Server Storage Devices Fondamentaux du réseau Campus Data Center Extranet Internet WAN/MAN Agence Télétravailleur Règles d’architecture Architectures de référence par zone Interopérabilité forte entre les zones Continuité des Services Garantie des SLAs de bout-en-bout Site B The network infrastructure layer, which has traditionally provided connectivity to clients, servers, storage devices and distributed sites is also evolving. As IP becomes the pervasive network protocol, there are a numner of other protocols and technologies the network must support. These include NAC for access control, 802.1x for client identity purposes, Infiniband and 10GE for high throughout server clusters, and a number of traditional functions such as routing, switching and transport technology which offer virtualization capabilities. Whether the communication is from a web client on a desktop, from a PDA or mobile phone to a server, from a remote host to network-attached storage arrays, or between two storage arrays or server clusters, the network interconnects need to provide a predictable level of service, the right level of performance and I/O capabilities, and a reliable and secure media for transport. Additionally, the overall network architecture must support consistent network-wide services and policies applied to the specific location where the servers, storage, and clients reside. COUCHE D’INFRASTRUCTURE EN RESEAU Modules du réseau Campus Agence Data Center Extranet Internet WAN/MAN Télétravailleur Serveur Stockage Clients

11 Le modèle traditionnel de trafic Datacenter-Driven
Applications Client-Serveur et Services Web Services Centralisé Fourni par un datacenter ou un site d’hébergement Campus Traditional Traffic Patterns in the Enterprise Campus Over the past decade applications moved from distributed workgroup servers placed in the LAN segments close to the users to more client server based applications where the servers where centralized in the data center. This centralized application server approach allowed many Enterprises to centralize Security and Monitoring services at the choke points or common flow points in the network typically found in the Data Center Aggregation switches. Transition – next slide has the potential changes as dynamic shared applications, Peer to Peer, and multimedia flows change this dynamic. App Intelligence, Security, Flow Info Data Center

12 De nouvelles applications vont bouleverser le réseau de campus …
Cisco Telepresence impact stratégique sur les communications des execs et donc un excellent SLA Sécurisation des communications Service hautement disponible Service qui doit être exemplaire Office Groove 2007 La nouvelle application de collaboration Distribution des données en Peer-2-Peer Décentralisée, trafic non prédictible Nécessité de connaitre l’application pour en contrôler l’accès QoS Let’s look at Microsoft Office Groove 2007 – an peer-to-peer application that automates change management for shared workspaces. This is a truly networked application – where changes in a workspace on one team member’s computer are driven automatically to all the instances of that workspace on other team member’s computers. There is no central controlling server managing the change process. Bear in mind that… These teams may come and go as necessary (See Slide #5 “communities.”) Changes must proliferate immediately Changes may occur at any time and often End users may participate on multiple teams These exchanges must be kept confidential to the team This kind of unpredictable and free-flowing peer-to-peer application traffic could easily wreak havoc with a campus network designed around limited bandwidth, security and resource and traffic control functions at the edge. It is critical for all segments in the campus network to understand what applications need and deserve high priority; take action to adapt to shifting traffic patterns and demands; secure all points of entry and traffic flows; and ensure authorized network access anytime from anywhere. Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12

13 Video & audio streaming
Et d’autres arrivent … Video VOD Video & audio streaming Video conferencing Vers 10 G Convergence Voix & Data , chat, & IM PC- & cable telephony Unified messaging Vers Virtualisation & Sécurité Peer to Peer Vers L’Inspection de Paquet File Sharing On-line gaming Music download OS Applications Stations & Régulations Vers IPv6 LINUX MAC OS X Windows Vista

14 Le nouveau modèle applicatif Campus-Driven et Datacenter-Driven
Apps Collaborative Peer to Peer Unified Communications Wired vers Mobile Nécessite des Services Distribués Intelligence Applicative Sécurité Modules Services Distribués Info sur des flux distribués Campus New Traffic Patterns in the Enterprise Campus New Peer to Peer applications are beginning to appear(P2P API’s built into MSFT Vista). With this the application flows can change from their normal north/south flows to be inspected at the Data Center edge to mutliple different patterns. Unified Communications & Collaboration Tools (Telepresence, Rich Unified Comms) and Wired to Mobile (Cisco mobile IP phones , Intel Centrino provides built in mobility into laptops) also drive new connectivity points and data flows. IP Telephony and Telepresence go to Data Center services for setup information but then switch over to direct peer-peer communications for point to point calls. Traditional monitoring and control points are not sufficient Because the traffic patterns may sometimes never hit the data center new Security services must be distributed. Greater visibility required at every level of the network to sniff out applications, apply QoS to support typical and dynamic traffic patterns, and make sure that the company critical business applications and the real time applications have sufficient bandwidth to perform within SLAs. Distributed services in the campus are needed to address traffic flows changes New data flows: Intra-campus traffic flows that may not touch the data center - e.g. Client-to-Client, Peer-to-Peer flows: MSFT Groove, Unified Comms Services are ideally applied as close to the clients as possible (e.g. wiring closet) to minimize service gaps Transition – now let’s take a deeper look at some new applications and developments that will have an effect on your network Application Intelligence and Security Les services vont vers l’accès et nécessitent donc de plus en plus d’être intégrés dans le réseau pour minimiser les coûts et conserver le contrôle App Intelligence, Security, Flow Info Data Center

15 Les réseaux de Campus se transforment en plates-formes business
Phase I … Tous les postes de travail connectés au LAN Applications bureautiques distribuées sur les PCs Montée en puissance des applications métiers clients-serveurs Exploitation anarchique Understanding where we’ve been is critical to understanding where we’re going and why. The campus LAN has gone through a number of significant transitions over the last few decades. Interestingly enough, these transitions seem to occur about every ten years. Prior to 1985, most all desktops were hard-wired to central computers. Some of you may remember having two computers on your desk in the 80’s – a 3270 connected to SNA and the IBM mainframe and a dumb terminal connected to a Dec VAX or Wang Word Processor. Then along came PC LANs and LAN terminal servers and 3270 emulators. The desktop device changed to a PC having a single connection to an ethernet or Token Ring LAN. Local LAN servers offered up office applications, while central computers still provided business applications. In order to best leverage the intelligence of the desktop PC and the price-performance advantage of PC and Unix servers, client-server applications took hold. The smart, connected client provided automated access to information and applications located on the network. Unfortunately, these client-server applications – often built not by a central IT organization, but by business units themselves -- overloaded slower-speed shared LANs (and WANS) and servers. And also caused all sorts of system and data integrity problems. The answer: Throw bandwidth at the problem. That takes us to our next campus transition. Connectivité Le LAN du Campus

16 Les réseaux de Campus se transforment en plateformes business
Phase II … Le volume de trafic et les besoins de bande passante augmentent Demande de disponibilité et d’engagement de service (SLA) (Cinq 9!) Montée en puissance du web - GUI, serveurs, applications E-Business Le contrôle des utilisateurs et des trafics devient critique Mise en oeuvre d’une pratique opérationnelle organisée Contrôle basique Haute Dispo. “Wire” Speed The problems of network overload, system failures, and security breaches became more pronounced as networked applications expanded in terms of use, reach, and complexity. The introduction of the Web into normal business practices in the mid-90s blew the lid off the campus LAN. Traffic volume, networked exchanges, and user populations grew exponentially. The shared and loosely coupled network model could no longer satisfy campus requirements. The campus needed to be strengthened and organized if it was to adapt to building requirements. Management of the Campus LAN – from desktop to data center – was centralized. This gave rise to standardization and consolidation. Campus LANs were designed around ethernet as THE standard LAN type. Ethernet itself advanced from 10Mbps to 100Mbps to 1GbE and then to 10GbE to accommodate traffic growth. Switched connections became the norm. No longer would users share bandwidth. Owing to the increasing criticality of the campus network to business, high availability networking hardware and campus designs were established. And LAN security advanced from simple access control mechanisms to stronger VLAN, authentication, and firewall protection schemes. An organized network hierarchy was established in the campus LAN. Here, access points (wiring closets) connected to distribution points which connected the campus core. Across this hierarchy, limited user movement could be controlled to some extent. And new, but still rather predictable traffic patterns driven by GUI-based data applications and even building voice and video streams could by accommodated by having extra bandwidth around when needed. Which brings us to our next campus transition: The campus network built for not just speed, but also services as well. Connectivité Le LAN du Campus The Campus Network

17 Les réseaux de Campus se transforment en plateformes business
Phase III … Accès sans limite, vers toute ressource Collaboration immédiate, améliorée Protection totale, respect des conformités Utilisation des ressources simplifiée, souple Très haute disponibilité demandée Simplification des services complexes Intelligence Applicative Accès Unifiés Dispo. continue Sécurité Intégrée Virtualisation Excel. opérat. Contrôle basique Haute Dispo. “Wire” Speed Connectivité As we established previously, business in the 21st century is not business as a usual with a few new simple twists. There are fundamental changes in business that are driving dramatic shifts in how IT and the network supports the new 21st century business model. No longer are users tied to specific desks or even sites. Specific working groups or hours. Specific IT systems or resources. Specific business applications or information. We can no longer predict what exactly the user will demand the next time they click their mouse – let alone six months or even six minutes from now. We must ready our network for any business eventuality. We must build on what we’ve established in terms of performance, reliability, and security – and extend our networks to be ready no matter what the next click or next call or next customer or next company shift brings. In certain areas, we must raise the bar for the network. No longer are high availability designs enough to sustain network service levels in this real-time, anytime business environment. Here, we must move toward a fault-tolerant model where Non-Stop Communications is the benchmark for reliability. Here, hardware and software form systems that not only avoid unscheduled downtime, but also eliminate scheduled downtime. And owing to the focus on the end user, the network must not only be available all the time, it must also provide consistently excellent service at all times. On the security front, no longer are basic control functions such as VLANs and firewalls enough. Proactive Integrated Security services must be pervasive across the network. No longer can the security functions stand guard at only certain weak points. Continual monitoring and immediate reaction is required throughout the network. The specter of the malicious attack, accidental breach, or compliance audit are ever present going forward. Understanding that user needs and traffic flows are no longer predictable, the network also must take charge of varying loads and diverse user demands. Although we’ve move to higher and higher bandwidth connections in the campus, applications have moved even more quickly to take advantage of available bandwidth – and overload shared resources. Application Fluency services aimed at maintaining an excellent user experience no matter the applications in use -- or network conditions present -- are critical to success. And this is not only important for the user operating a high-demand application, but also just as important for all the users on the network as well. Also of great importance are Virtualization services that leverage all available resources to respond immediately to end user demand. No longer are we able to overbuild and overspend on resources. Resources must be fully utilized – no matter local or remote to the end user, no matter even if they’re internal or external to the company. It is also this end user that drives the need for greater Unified Networking capabilities. Here, users do not want to be limited by their device or location. The mobile user must be kept productive. It I also important for users to leverage all available means of communications available to them – and all available expertise and information. Collaboration tools based on converged data/voice/video systems improve decision-making and speed business response times. Unified Networking services ensure that the end user is provided a complete network experience – anytime, anyhow, anywhere. Finally, the network that drives our businesses forward in the years to come must meet all these needs cost-effectively. Networking budgets are not growing in lock-step with the network’s importance to business. Here, Operational Manageability becomes paramount. From an operations perspective, we must move beyond a static hierarchical management model to one that applies autonomics to the network. Here, the network self-adjusts guided by established policies. Real-time business practices demand real-time reaction from our networks. Static configurations, assigned resources, and operator interactions are going the way of the now extinct hard-wired terminal and shared networks of past campus LANs. The Campus Network Le Coeur de Communications du Campus

18 Le Coeur de Communications du Campus Les six domaines fondamentaux
Excellence Opérationnelle Disponibilité Continue Intelligence Applicative Virtualisation Accès Unifiés CCF is a blueprint to support rich media applications that effectively connect people and resources It guides IT managers through complex considerations while expanding or planning networks—specifically, it provides covers: 1. Application Intelligence ; 2. Unified Network Access; 3. Integrated Security; 4. Network Virtualization; 5. Non-Stop Systems; 6. Operational Manageability (These categories help close the two large gaps defined by SONA--1. Close the Application Integration Gap; 2. Close the IT resource gap) At the product and feature level, CCF demonstrates how the pieces work together and the benefits to each… These 6 Critical Attributes work together to enable Consistent Services and Policies anywhere, anytime, no matter how someone connects to the campus network. Sécurité Intégrée

19 Disponibilité Continue: Assurer la continuité des opérations métier
Les besoins actuels : Fournir un accès continu et sans faille aux applications, données et contenus de n’importe ou, à n’importe quel moment Résilience au niveau réseau Protocoles réseau intelligents Flexibilité de mise en oeuvre Résilience au niveau système Redondance matérielle et logiciel Protection du Plan de contrôle Gestion Proactive des fautes Utilisation de Documents de référence Infrastructure Résiliente Disponibilité Applicative Maintenance en Service Main Theme: While high availability has always been a key attribute of the campus network evolving business requirements, user expectations and technology changes require a re-evaluation of what is ‘sufficient’ Key Points to introduce and re-enforce throughout this section of the presentation Overarching requirement is to provide continuous access to applications, data, and content from anywhere and anytime 5 x 9’s is on longer the only metric necessary to consider in the evaluation of the availability of the network. In a UC enabled environment the subjective user experience, the impact of any network event on interactive voice and video traffic, is also a critical metric for availability. As network connectivity has become more pervasive the expectation of the ‘always on’ network has become the norm. The network is assumed to always be both accessible anywhere and at any time The increase in network connectivity has resulted in the increase in potential risks to the network availability due to the growth of security threats (viruses and worms) which requires that in addition to network availability (device redundancy) we also need to ensure system or component resiliency. Cisco’s approach to providing this next level of end to end network resiliency (high availability) combines the use of resilient network design, resilient systems and components and proven reference designs to ensure customers business requirements are satisfied.

20 Design de Campus Hautement Disponible Structure, Modularité et Hiérarchisation
Architecture modulaire, structurée et hiérarchique Optimiser l’intéraction entre les protocoles réseaux et la redondance Fournir le bon niveau de redondance Choisir le protocole adéquat pour les besoins exprimés Optimiser ce protocole La topologie logique des protocoles réseaux suit la topologie physique Data Center WAN Internet Superviseur redondante Layer 2 or Layer 3 Liens Redondants Liens L3 à coût égaux Routeurs Redondants

21 Haute Disponibilité – Agenda
Principes généraux Redondance réseau Optimisation des protocoles de routage Redondance dans le bloc distribution Vers le routage à l’accès Redondance système Data Center WAN Internet Layer 2 or Layer 3 Liens L3 à coût égaux

22 Principes généraux Niveau 2 – Détection de la perte du voisin
Les pertes de liens indirects sont plus longues à détecter Sans notification hardware directe de la perte de liens ou du changement de topologie, la convergence dépend des notifications logicielles Dans certaines topologies, il est nécessaire d’envoyer des trames de type TCN ou des trames multicast (uplink fast) pour accélerer la convergence Les évènements indirects dans une architecture bridgée sont détectés par les trames Hello de Spanning Tree Ne pas interconnecter des commutateurs au travers de hubs TCN BPDU’s hub

23 Principes généraux Niveau 3 – Détection de la perte du voisin
Privilégier les interfaces routées pour avoir une notification directe des protocoles de routage en cas de perte de liens Les problèmes indirects demandent un traitement logiciel pour détecter la panne Pour améliorer le temps de détection Utiliser des interfaces routées entre commutateurs L3 Réduire les hello timers de l’IGP pour les pannes indirectes Interface SVI Notification L2 puis notification L3 Hello’s commutateur

24 Principes généraux Disposer de plusieurs chemins – L2
Dans le design recommandé, la convergence du niveau accès vers distribution en cas de perte de lien est basée sur la mise à jour des tables de Mac addresses et pas sur le Spanning Tree Le temps de restauration du trafic est donc basé sur : Le temps de détection de la perte de lien Le temps de mise à jour de la table de MAC addresses hardware Aucune dépendance vis à vis d’évènements externes (aucun besoin d’attente de la convergence du spanning tree) Un comportement déterministe Core Distrib. Accès. Tous les liens sont Actifs Dans une architecture avec tous les liens actifs, la restauration du trafic est basé sur un traitement hardware !

25 Principes généraux Disposer de plusieurs chemins – L3
Dans le design recommandé, la convergence est avant tout basée sur la technologie CEF avec des chemins à coûts égaux Le temps de restauration du trafic est alors basé sur : Le temps de détection de la perte de lien Le temps nécessaire pour supprimer la route de la table de forwarding software Le temps de mise à jour de la table de forwarding hardware Pas de dépendance vis à vis d’évènements externes (le temps de convergence du protocole de routage n’intervient pas) Un comportement déterministe Liens à coûts égaux Une restauration demandant un traitement purement local

26 Principes généraux Fonctionnement de Cisco Express Forwarding (CEF)
Catalyst Switch Control Plane Construction de la FIB et de la table d’Adjacence en software Router Mise en place Data Plane Commutation des paquets en hardware Hardware FIB Table Adjacency Table Lookup Rewrite L3 Packet Paquet L3 As we’ve said earlier, ECMP allows very fast convergence and on Catalyst switches we support up to 8 path today We have here the generic concept with ECMP. Here is how forwarding decisions are taken on Catalyst switches. First compute routing table in software, then put the relevant forwarding information into software Cisco Express Forwarding tables (FIB and Adjacency tables), and download a copy of these CEF tables to hardware for packet forwarding. In case of ECMP, there are multiple possible next hops adjacencies for a given network prefix. In the figure, there are three different next hop adjacencies for one given FIB prefix. And depending on the load-balancing criteria and the flow we’ll use one path or the others These tables are populated before any actual user traffic is present in the network, such as would be the case with a cache-based model. The first of the these tables is actually a copy of the relevant forwarding data points from the routing table, and is known as the FIB table. The second table is called the adjacency table. The adjacency table maintains a database of node adjacencies (two nodes are said to be adjacent if they can reach each other via a single hop at the link layer of the Open System Interconnection [OSI] model), and their associated Layer 2 Media Access Control (MAC) rewrite or next-hop information. Paquet L3 Les réseaux utilisant les mécanismes de redondance avec des liens multiples possèdent des temps de convergence rapide grâce aux fonctions de la technologie hardware Cisco Express Forwarding (CEF)

27 Principes généraux CEF – Restauration avec chemins à coûts égaux
IPv4 Lookup— Source IP Dest IP Optional L4 Ports New MAC and VLAN Adj Idx 15: Rewrite info Adj Idx 15+2: Rewrite info Adj Idx 15+1: Rewrite info MASK (/32) Adjacency Entry #1 Adjacency Entry #2 Prefix Entries Load-Balancing Hash Adjacency Entry #15 Adjacency Entry #16 MASK (/24) Adj Idx 15 - Path Count 3 Adjacency Entry #25 Adj Offset: 0 MASK (/16) Walk through the day in the life of a packet with multiple equal cost paths Now suppose a packet comes in and it’s destination IP is We compare that destination IP to the entries in the TCAM, using the appropriate/longest mask Once we have a hit, that’s going to point us to this result memory entry and that’s going to give us the adjacency index. That tells us which entry in the adjacency table to use to rewrite the packet. Since we can do CEF load balancing in the hardware, once we have the adjacency index, we feed some data into a hash algorithm, so we use the source and destination IP by default, and in Supervisor 720 we also use a unique ID to prevent this CEF polarization issue – Supervisor 2 does not support that – and also you can use the L4 ports as well if you want, that is configurable. And the output of this hash just tells us which specific entry, in this block of adjacencies, that we should use to forward this specific packet, in case there are multiple next hops for this prefix. So the hash spits out a value that tells us exactly which entry to use, and this value will vary depending on the input to the hash, so we have per flow load balancing here – there is no per packet load balancing in any of the sups today. Destination IP read from packet Lookup key created based on destination IP As lookup key compared to TCAM entries, associated mask applied Longest match returns index to adjacency block Packet flow data input to load-sharing hash function Adjacency offset value selects an adjacency (containing next-hop information) in the adjacency block New MAC address is attached and packet is forwarded CEF uses a multi-step process to make final forwarding decision First it determines the longest path match for the destination address via an hardware lookup Adj Offset: 1 Prefix Entries / FIB Result Memory Adjacency Table Adj Offset: 2 Hash Result Switch#show mls cef exact-route Interface: Gi1/1, Next Hop: , Vlan: 1019, Destination Mac: 0030.f272.31fe Switch#show mls cef exact-route Interface: Gi2/2, Next Hop: , Vlan: 1018, Destination Mac: 000d.6550.a8ea

28 Haute Disponibilité – Agenda
2 Haute Disponibilité – Agenda Principes généraux Redondance réseau Optimisation des protocoles de routage Redondance dans le bloc distribution Vers le routage à l’accès Redondance système Data Center WAN Internet Layer 2 or Layer 3 Liens L3 à coût égaux

29 Architecture de Campus Niveau2 ou niveau3 ? Les deux ?
Data Center WAN Internet Le Spanning Tree Protocol (STP) et ses variantes ont souvent mauvaise réputation Utilisation non optimale des ressources réseau Impossibilité d’utiliser des liens en parallèle Ces problèmes peuvent être résolus au niveau 3 Utilisation dans Coeur et Distribution aujourd’hui Mais L3 ne peut pas être déployé dans tous les environnements (Datacenter, clusters, virtualized servers (VM’s), etc Accès – Commutateurs L2 (évolutif L3) Distribution – Commutateurs L3 Coeur - Commutateurs L3 Liens L3 à coûts égaux STP will block at least one path in a looped environment. The shortest path between two points may not be available due to this blocking behaviour Large L2 tables are required for large L2 topologies – enforces rapid learning requirements on all bridges and also a need to flood on topology changes to remove stale information which slows convergence and can lead to instability in larger networks. L3 solutions to most of the L2 issues, but these add complexity and cost to the devices. L3 cannot be deployed for some scenarios, so larger L2 topologies are being deployed with the inherent limitations of the L2 forwarding mechanism

30 La résilience du cœur de réseau
C’est le compromis entre La résistance aux perturbations: face aux flapping de lien de route Et la rapidité de convergence: Qui dépend Du protocole de routage Du maillage du réseau De la taille des aires de routage Du protocole de transport L2 Tout comme au niveau macroscopique La solution est le découpage en sous-modules

31 Optimisation du routage Des protocoles de routage évolutifs
Code et fonctionnalités de routage communs à l’ensemble de la gamme (Agences, WAN et Campus) EIGRP fournit de base une convergence inférieure à la seconde EIGRP stub & route control OSPF fournit une convergence inférieure à la seconde SPF and LSA Throttle tuning Exponential Backoff Algorithms Incremental OSPF HSRP, VRRP et GLBP IP Event Dampening Convergence EIGRP & OSPF Inférieure la seconde Main Theme: Cisco provides for the complete set of end to end advanced routing and control protocols providing for high stable and yet fast converging networks Key Points: EIGRP and Cisco’s OSPF provide for sub 200 msec convergence in the Campus network when deployed according to our best practices Cisco’s OSPF provides for both fast convergence and improved stability through our LSA and SPF throttle tuning and exponential backoff capabilities Traditional approaches to fast convergence suffered form the risk of instability unlike this new approach which provides the best of both worlds Enhanced IP features such as BFD and IP Event Dampening also provide for improved convergence with the event dampening mechanisms to prevent against network flapping

32 Organisation de l’IGP du cœur de réseau Exemple: OSPF
ASBR Summarisation ABR Summarisation Backbone Area #0 Area #1 Area #2 Area #3 Structure must exist or created Stress hierarchical nature of the topology Indicate that it would be to their advantage if IP addressing scheme was also hierarchical La topologie d’une aire est invisible des autres Pas ou peu d’effet d’une aire sur l’autre en terme La summarisation est un outil de stabilité Mais impose des contraintes fortes Un Aire annexe à une sortie + Backup doit être déclarée STUB 19

33 Optimisation du routage OSPF Incremental SPF*
Optimisations supplémentaires des calculs de route pour réduire fortement les temps de convergence d’OSPF et IS-IS Lors d’un changement d’état, quelqu’il soit dans une aire OSPF, l’algorithme Dijkstra est utilisé par tous les routeurs de l’aire en question Une perte inutile de CPU et de mémoire Le changement a d’autant moins d’impact qu’il est loin du routeur sur lequel on recalcule la table de routage La fonction Incremental SPF permet à OSPF ou IS-IS de limiter le Dijkstra à la seule portion de l’arbre concernée par le changement Economie de CPU et de mémoire, mais aussi évolutivité plus grande, temps de calcul réduit Avec le précédent algorithme Shortest Path First (SPF) Entre 10% à 90% d’amélioration, selon la taille du réseau et la localisation de la panne Temps de Convergence Incremental SPF is a feature that results in faster shortest path first calculations when a network failure or event occurs. By speeding the SPF calculations within the individual nodes, the reconvergence time for the network is lessened overall. The efficiency is gained by short-cutting the Dijkstra algorithm so that shortest path calculations are only done on the portion of the tree which has actually changed. The benefit is more pronounced the further away from the source of the change or failure a particular node is as can be seen from the graph. Avec l’optimisation Incremental SPF Sauts/Liens depuis l’épicentre de l’événement Epicentre de l’événement de routage *Brevet en cours

34 Contrôler le nombre de SPF Interface Event Dampening
Interface State Up Down Actual Penalty Maximum penalty Suppress threshold Reuse Threshold “Si un Lien flap, il est préférable de l’ôter de la table de routage” Concept emprunté à BGP, mais appliqué à une interface IP Seuil de pénalité pour mesure le flapping Cycle d’hystérésis pour contrôler le retour Fonctionne ainsi sur tout protocole de routage: RIP, OSPF, ISIS/ESIS,IGRP/EIGRP, BGP Interface State Perceived by IP RP

35 – Optimisation du routage OSPF LSA/SPF Exponential Back-Off Throttle Mechanism
Topology Change Events 100 200 400 800 msec 1600 msec Time [ms] SPF Calculations timers throttle spf <spf-start> <spf-hold> <spf-max-wait> timers throttle lsa all <lsa-start> <lsa-hold> <lsa-max-wait> Des timers inférieurs à la seconde sans risques Le timer spf-start (initial hold) contrôle le temps d’attente avant le premier calcul de SPF Si un nouvel évènement est recu durant le hold interval, le calcul du SPF est repoussé jusqu’à ce que le hold timer expire et le hold timer est temporairement doublé Le hold interval peut grandir jusqu’au maximum défini – max-wait Après l’expiration de n’importe quelle valeur de hold interval, le timer est remis à sa valeur initiale

36 Optimisation du routage Bidirectional Forwarding Detection (BFD)
BFD Async Mode Problème : La détection des pertes de liens peut prendre trop de temps BFD est un protocole “indépendant” dont le but est de vérifier si le voisin est toujours actif et donc valider le chemin L2 entre deux systèmes adjacents Utilise un mécanisme de hello, léger et rapide Détection rapide qui permet d’accéler la convergence des protocoles de routage Orange is OK Green is OK Les Systèmes s’envoient périodiquement des paquets de contrôle les uns aux autres Si aucun paquet n’est recu du voisin pendant une durée appelée Negotiated Detect Time (Negotiated Interval *Multiplier), la session est déclarée perdue

37 Root Bridge Master HSRP Backup Root Bridge Backup HSRP
Architecture Campus Multilayer Access Niveau 2 avec Distribution Niveau 3 L3 L3 ROUTAGE Coeur L2 Lien L2 Distribution Root Bridge Master HSRP Backup Root Bridge Backup HSRP BRIDGING Accès Vlan 30 Vlan 30 Vlan 30 Liens L2 et L3 entre les commutateurs de distribution Les VLANs peuvent être définis sur plusieurs commutateurs d’accès Plusieurs protocoles interviennent suivant les types de panne : boucles de niveau 2, redondance de la gateway, protocole de routage Liens bloqués

38 BPDU Guard et Rootguard PortFast Port Security
Spanning Tree et boucles L2 Le Spanning Tree doit se comporter comme souhaité Utiliser le Rapid PVST+ pour la meilleure convergence Le Root Bridge doit rester où vous l’avez défini Loopguard and rootguard UDLD Sur un port d’accès, pas de trames de Spanning Tree BPDU guard Port-Security Limiter à des valeurs raisonnables le volume de trafic B-Cast et M-Cast Loopguard STP Root L2 Rootguard Loopguard Storm Control BPDU Guard et Rootguard PortFast Port Security

39 Pour une boucle plus complexe
Optimiser la convergence L2 Les Topologies complexes mettent plus de temps à converger Convergence de 400 msec Pour une boucle simple Le temps de convergence est dépendant du protocole implémenté 802.1d, 802.1s ou 802.1w (tous sont maintenant dans la spécification IEEE 802.1d 2004) Il est également dépendant : De la taille et la forme de la topologie L2 (profondeur de l’arbre, feuilles) Du nombre de vlans transportés sur les liens trunks Du nombre de ports dans les vlans de chaque commutateur Les topologies complexes mettront plus de temps à converger Il est nécessaire de simplifier la topologie pour diminuer le temps de convergence Convergence de 900 msec Pour une boucle plus complexe

40 Optimiser la convergence L2 PVST+, Rapid PVST+ ou MST
Rapid-PVST+ améliore sensiblement le temps de restauration pour un VLAN nécessitant un changement de topologie du fait d’un lien UP (vs Uplink Fast) Rapid-PVST+ améliore également considérablement le temps de convergence par rapport aux pertes de liens indirects (vs BackboneFast) PVST+ (802.1d) Implémentation traditionnelle Spanning Tree Rapid PVST+ (802.1w) Evolutivité vers de grandes topologies (~10,000 ports logiques) Facile à déployer, évolutif, très utilisé MST (802.1s) Evolutivité vers de très grandes topologies (~30,000 ports logiques) Moins flexible que Rapid PVST+ Rapid PVST+ converges MUCH faster than PVST+ for any VLANS that span across multiple Access Layer Switches. If you have a loop use Rapid PVST+. Temps de rétabliseement des flux de données (sec)

41 Redondance de la Gateway Sub-second Timers
FHRP Active FHRP secours Access-a R1 R2 Hello timer inférieurs à la seconde pour un temps de convergence vers le coeur < 1 seconde HSRP, VRRP, GLBP Enhanced Object Tracking

42 Architecture Campus Multilayer Accès Niveau 2 avec Distribution Niveau 3
Lien L2 L2 Vlan 10 Vlan 20 Vlan 30 L3 Lien L3 Vlan 30 Vlan 30 Vlan 30 Les VLANs peuvent être définis sur plusieurs commutateurs d’accès Boucles de niveau 2 Liens L2 et L3 entre les commutateurs de distribution Liens bloqués Un VLAN est limité à un seul commutateur d’accès Mais chaque commutateur d’accès peut avoir plusieurs VLANs Pas de boucles L2 Pas de liens bloqués

43 Routage à l’accès Evolution vers distribution L3 et accès L3
Layer 3 Layer 3 L3 EIGRP/OSPF EIGRP/OSPF Layer 2 EIGRP/OSPF GLBP Model Layer 2 VLAN 20 Data VLAN 120 Voice VLAN 40 Data VLAN 140 Voice Déplacer la frontière L2/L3 vers l’accès ! La convergence vers le réseau ne dépend plus que du temps de détection hardware de la perte de la fibre vers la distribution Un seul protocole – Suppression du Spanning Tree, de la redondance FHRP Extrêmement bénéfique pour un environnement approprié

44 Haute Disponibilité – Agenda
2 Haute Disponibilité – Agenda Principes généraux Redondance réseau Optimisation des protocoles de routage Redondance dans le bloc distribution Vers le routage à l’accès Redondance système Data Center WAN Internet Layer 2 or Layer 3 Liens L3 à coût égaux

45 Résilience Système Améliorations matérielles et logicielles
Challenge: Supprimer les points de panne du matériel mais aussi du logiciel Micro-Kernel Line Card ACTIVE STANDBY PLAN DE CONTROLE PLAN DE GESTION PLAN DE DONNEES Redondance matérielle Séparation du plan de contrôle et du plan de commutation Isolation des fautes OS modulaire Durcissement du plan de contrôle Control Plane Protection Maintenance, prévention et réparation In-Service Upgrades Main Theme: The second major category of high availability features, system resiliency, provide for improved availability and manageability of each individual switch in the network. Key Points: Catalyst switches are designed from the ground up to protect the switch from control plane overload. The separation of the control and forwarding plane Multiple levels of HW and SW control plane protection including the latest addition of control plane policing Catalyst switches are designed from the ground up to provide for online maintenance and repair capabilities OIR capability for power supplies, fan trays, line cards supervisor modules In Service Software Upgrade and Modular IOS provide for improved SW availability and the ability to upgrade SW in place without taking a switch out of service Operational support challenges are also a key element in HA and the ability to maintain systems without taking them out of service is critical (this is even more important with today’s longer installation life cycles)

46 Résilience Système Redondance physique complète
Des systèmes hautement redondants forment les fondations d’un réseau résilient et stable Commutateurs modulaires Cartes Superviseurs redondantes et hot swappables Alimentations redondantes et hot swappables Ventilateur redondants en N+1, hot swappables Cartes hot swappables Backplane passif Horloge système redondante Stack Redondance du master en 1:N Master Membre de la pile hot swappable Alimentation et module ventilateur extractibles Main Theme: Hardware Redundancy forms the foundation for system resiliency and availability Key Points: Maximum system MTBF due to fully redundant components Reliable power Load-sharing redundancy Active/standby redundancy processor, power, fans, line-cards) ECC memory Card MTBF (100,000 hrs.) Separate control and forwarding plane Spares and maintenance Robust hot swap (OIR)

47 Résilience Système Redondance de carte supervision
Résilience Système Redondance de carte supervision. (SSO : Statefull switch over) Active Supervisor SP RP PFC Standby Supervisor Line Card—DFC La carte de supervision de secours est dans un mode dit ‘hot-standby’ , mode ou elle est en synchronisation totale avec la carte de supervision active Synchronisation des états et des informations L2 (ex., STP, 802.1x, 802.1q) Synchronisation des tables de commutation hardware L2/L3 : FIB, NetFlow, QoS et ACL TCAM Switching CPU 1—Master 2—Slave 3—Slave Main Theme: In addition to all of the physical HW redundancy provided by the Catalyst switches they also provide for real time synchronization between redundant supervisor modules/engines via SSO and Stackwise and Stackwise-Plus Key Points: Stateful Switchover (SSO) enables full switch recovery in as little as 50 msec in the event of a supervisor HW or SW failure SSO synchronizes the active and standby supervisor TCAM & CAM tables providing for full hot redundancy for all of the FIB, ACL and QoS information necessary to forward traffic SSO does not require a warm restart of the standby supervisor as it is running in hot mode and is fully capable of immediately forwarding traffic in the event of a supervisor switchover Since ports do not bounce during an SSO supervisor recovery no phones will lose power or link level connectivity preventing a lengthy reboot which is common in other supervisor redundancy models 3750 Stackwise distributes the HW (TCAM) resources across all switches in the stack and maintains synchronized full FIB, ACL and QoS information in all members of the stack In the event of a master failure in the stack all remaining switches are able to continue to forward traffic while a new master is elected and takes over managing the remaining members in the stack A differentiation worth noting is that although the 3750 Stackwise feature is an excellent differentiation to our competition who do not have this capability to heal their stacks, the failed switch in the stack will still lose the ability for forward traffic on those ports on that switch. With SSO on a modular switch the line card forwarding remains operational and in many cases so do the ports on the failed supervisor as long as it is in the chassis and has power.

48 Résilience Système Capacités de Graceful Restart (NSF)
Challenge: Restauration du routage sans perte de paquet Amélioration autour des fonctions de Non-Stop Forwarding (NSF) pour les protocoles EIGRP, OSPF, IS-IS et BGP Un routeur dit NSF-capable est capable de continuer à commuter les paquets pendant un changement de carte superviseur en utilisant les mécanismes de SSO précédents Les routeurs dits NSF-aware et NSF-capable fournissent donc des mécanismes transparents de restauration du routage Les extensions autour des fonctions Graceful Restart permettent de retrouver un voisin sans casser l’adjacence La re-synchronization de la database du protocole de routage intervient en tâche de fond NSF-Aware NSF-Aware Main Theme: Cisco is continuing to enhance our routing protocols through innovations such as NonStop Forwarding (NSF) which provide for zero packet loss recovery of routing neighbor relationships in the event of an SSO supervisor failover and recovery or Modular IOS process restart Key Points: Cisco NSF with SSO relies on hardware redundancy. In particular, route processor redundancy. The idea is to capitalize on the distributed platform design and the separation of the control plane from the forwarding plane, to allow traffic flow to continue even if a hardware or software failure disrupts the control plane function. Stateful Switchover is the component of the solution that synchronizes and saves state information between the active and standby RPs such that layer 2 connectivity protocols are maintained. It involves Cisco IOS infrastructure services called the checkpoint facility (CF) and the redundancy framework (RF). The CF and RF are key underlying technologies developed within Cisco IOS for this purpose. NSF is then achieved by utilizing the forwarding information base present in the line cards, while the control plane is reestablished on the redundant RP. The routing protocols reform peer adjacencies, and exchanges routing information after the switchover. The routing information is verified with the current FIB and updated if necessary. While this happens, data flow continues. NSF-Aware, NSF-Capable

49 Résilience Système In Service Software Upgrade (ISSU)
Upgrade image complète Nouvelles fonctionnalités et patches Maintenance sélective Patch de composants Upgrade de composant Ajout de fonctionnalités

50


Télécharger ppt "Gilles Clugnac Consulting System Engineer"

Présentations similaires


Annonces Google