UNM RESEARCH NETWORKSSteve Perry

CCNP, CCDP, CCNP-V, CCNP-S, CCNP-SP, CCAI, CMNA, CNSS 4013

Director of Networks

Overview• Why Research Specific Networks?

• Production Network/ScienceDMZ Design Basics

• ScienceDMZ Components

• UNM CCIIE Grant/Researchers Requirements

• UNM Design

Possibilities??

Design Considerations

1. Type of R&E traffic – TCP –based, microburst traffic that can quickly consume entire available bandwidth

a. Subject to TCP Global Synchronization

2. TCP traffic needs deep buffer on ports when congestion occurs.

3. No commercially available security devices can sit in-path with line-rate process speed

4. 100 Gbps backbone across continental US

5. The general rule of thumb is that you need 50ms of line-rate output queue buffer for a 10G port, so there should be around 60MB of buffer.

Research Network: Science DMZ• A network optimized for business is not designed or

capable of supporting data intensive science.

Universities will always need to support security features that protect organizational financial and personnel data.

Solution: create separate data intensive science network, external to university enterprise network

Design formalized by ESnet, based on traditional network DMZ paradigm

Basic Science DMZ• Science DMZ: (1) dedicated access to high-performance

WAN, (2) high-performance switching infrastructure (large buffer memory), (3) dedicated data transfer nodes

ScienceDMZ Components

• DTNs (Data Transfer Nodes—Originator/Responder)• High capacity servers capable of wire speed 10Gbps Transfer• Globus GridFTP Application tuned for large data transfers

• Large Buffer capable switches to smooth TCP drops• Must have 60MB per port buffer space• Must be SDN capable

• PerfSONAR measurement nodes at each location

• Bro IDS (IDS versus IPS, to minimize deep packet inspection)

• Open Daylight SDN Controller

• Supporting Staff

Managing by Measuring--PerfSONAR

• Off campus / On campus• Service tuning - Dedicated PerfSonar • Beyond UNM

• https://pas.net.internet2.edu/maddash-webui/• http://ps-dashboard.es.net/

How To Secure it?

• Use Bro to monitor it out of line• IDS, not an IPS• Requires full understanding of Bro libraries and expertise in

application stacks

• Router ACL or SDN policy on key switches for traffic engineering

• IPTables at the boxes

CC*IIE Grant

• NSF Grant awarded to UNM

• Collaborative amongst researchers/IT

• Initial funding to build out the basic network

• Smaller regional schools up for grants this year

• Hope to apply for additional grants as available

UNM Design

Summary• Why Research Specific Networks?

• Production Network/ScienceDMZ Design Basics

• ScienceDMZ Components

• UNM CCIIE Grant/Researchers Requirements

• UNM Design

Questions???