This chapter covers the following key topics:
Information Technology Equipment of a Data Center: A highlight of networking equipment that constitutes the data center. This includes network equipment such as switches and routers, network services equipment including traffic optimization with load balancers, wide area network (WAN) optimizers, and security equipment such as firewalls.
Multitier Data Networking Architecture: Describes the three-tier data networking architecture from access to aggregation and core. It discusses the placement of networking services and the logical server grouping for multitier applications.
Challenges of Existing Designs: Discusses challenges with the three-tier architecture, such as oversubscription between the tiers, stretching virtual local area networks (VLANs) over large L2 networks, latency of traffic crossing tiers, flooding of broadcast traffic, complexity in dealing with IPv4 address scarcity, loop prevention, and firewall overload.
The existing networking designs in today’s data centers, with all their flaws, served their purpose providing robust infrastructures. Some of the largest data centers were built based on networking architectures that are now called legacy. However, the shift in traffic patterns, the introduction of server virtualization, and the introduction of multitier applications challenge the existing designs. This chapter discusses the existing network equipment and services and how they are deployed. It also goes into detail about the challenges of the current designs in scaling to meet the needs of application-aware data centers.
Information Technology Equipment of a Data Center
There are different types of data centers depending on their particular usage. Enterprise data centers normally house customer-facing applications such as web servers as well as the applications and services needed for the day-to-day operation of the enterprise. Such applications include email servers, enterprise resource planning (ERP), customer relationship management (CRM), and relational databases. Other larger data centers operated by cloud service providers (CSPs) house many software applications that are sold as a service to enterprises and consumers that connect to the data center over the Internet or private lines. Although data centers differ in size and functionality, the basic blocks for compute, storage, networking, and software applications remain the same. Although data centers contain many elements, such as facility management, physical security, power, cooling, and so on, this book covers only the information technology (IT) equipment of the data center in the context of data center convergence and hyperconvergence, which is defined later. The basic IT equipment of a data center falls under the categories of network equipment and networking services.
Network Equipment
Network equipment encompasses the basic switching and routing equipment of two layers:
Layer 2 (L2): Switches that work at the Media Access Control (MAC) and VLAN levels
Layer 3 (L3): Switches and routers that work at the Internet Protocol (IP) level
This chapter does not go into the details of switching and routing, but Chapter 15, “Software-Defined Networking and Open Source,” discusses underlay and overlay networks that essentially combine L2 and L3 networking to allow the mobility of applications between different servers and virtual machines.
It is worth noting that the word networking normally describes both data networking and storage networking. The difference between data networking and storage networking becomes clearer in the next sections.
In the context of data networking, switches and routers have different types of interfaces—ranging from Fast Ethernet to 1 Gigabit Ethernet (GE), 10 GE, 25 GE, 40 GE, 50 GE, and 100 GE—that connect the local area network (LAN). In the context of storage networking, switches also have 2 Gbps, 4 Gbps, and 8 Gbps fibre channel (FC) interfaces that connect the storage area network (SAN).
Networking Services
Networking services in the data center are standalone appliances, software running on hardware modules inside network equipment, or software running inside servers. Because data centers are moving toward a hyperconverged space, most of these services will eventually move from standalone appliances and become more integrated into the hyperconverged equipment. Networking services are grouped as either traffic redirection and optimization or security.
Traffic Redirection and Optimization
Traffic redirection involves redirecting the traffic to a certain target based on certain criteria, such as port numbers inside the Transmission Control Protocol (TCP) / Internet Protocol (IP) packets, or based on actual traffic content, or other. There are a lot of products in this space that offer different functionality such as load balancing, WAN optimization, content switching and caching, TCP optimization, Secure Sockets Layer (SSL) offload, data compression, and so on. A sample of such products includes load balancers and WAN optimizers.
Load Balancers
Server load balancing (SLB) distributes traffic across multiple servers to get better server utilization and higher availability for applications. Applications are normally spread over multiple servers in the same data center or multiple data centers for higher fault tolerance. The client trying to reach an application points only to one target—such as a URL or an IP address that is directed to the load balancer. Once the traffic reaches the LB, it distributes the traffic to different servers according to the rules or criteria. LBs work at layer 4 (L4) to balance traffic based on information in transport and session layer protocols, such as IP, TCP, File Transfer Protocol (FTP), and User Datagram Protocol (UDP), or they work at layer 7 (L7) based on information in application layer protocols, such as on Hypertext Transfer Protocol (HTTP) headers and cookies. LBs balance traffic based on various algorithms, such as round robin, response time, and sending traffic to healthy servers only.
WAN Optimizers
WAN optimizers efficiently carry traffic over WAN links. Because most data centers are connected through the WAN to service providers or to other data centers in the case of large enterprises or CSPs, it becomes crucial to make the most of the WAN link bandwidth. The WAN optimizers make sure that traffic is prioritized and bandwidth is adequately allocated. They also perform data compression, traffic shaping, and data deduplication.
Security
Securing the data and transactions between clients and a data center is extremely important, whether the access to the data center is done from the Internet toward an enterprise or from within the enterprise itself. The security terminology and functionality in the industry are overwhelming. Security is done via standalone appliances or software that covers these different areas:
Packet firewalls
Proxy firewalls
Stateful inspection firewalls
Next-generation firewalls that work at the application level
VPN with encryption and decryption
Network address translation (NAT)
Intrusion detection systems (IDSs)
Intrusion prevention systems (IPSs)
Access key and token management
Protection against denial of service (DoS) attacks
The term unified threat management (UTM) combines some of the functionality just mentioned into one product. For the purposes of this book, let’s refer to the security functions as firewall (FW), which can encompass one or many of the functionalities. Now let’s examine a sample description of the main FW functionality.
Firewall
FWs constitute the first entry point from the Internet into the data center, and they allow only authorized users to enter the data center while blocking unauthorized users. They are applied within the enterprise campus to secure traffic between the different departments of the same enterprise. They are also applied at the server level to allow appropriate access between clients, applications, and databases.
There are different types of firewalls. The most basic ones are packet-based firewalls that allow or deny traffic based on source and destination IP address, TCP port numbers, and direction of traffic. These are comparable with the access control lists (ACLs) on routers that basically deny or allow inbound or outbound traffic from an IP address and port. With the sophistication of attacks based on IP addresses and port numbers, more advanced firewalls do stateful inspection and track the progress of the full TCP session, not just the port number. Also, next-generation firewalls (NGFWs) work at the application level and track traffic based on the application itself. For example, an FW can track a Structured Query Language (SQL) session toward a database and allow or deny access based on an IP address and application type being SQL. Other applications of such firewalls are filtering traffic based on HTTP headers and the content itself.
As you move toward a hyperconverged data center where servers, storage, and network equipment are collapsed into one product, the layer where you apply networking services becomes important because it makes or breaks the network. Things can get complicated with virtualized environments where applications move around between different servers and security policies have to follow. As you’ll see later, networking services are moving toward being applied at the application level.