Data Center Designing: Network Connectivity Standards

IF your organization looking for a solution to host it’s entire application environment in an external vendor’s data center, your organization must  be considering lot many factors to define the standards of the data center. Below post describes some of the Network Connectivity standards used for development, implementation and management of a Data Center managed by a vendor.

This post  assumes that you should have an understanding of the concepts and terminology associated with data communications networks, protocols, and equipment used in this Schedule.

Network Transport Options – Connection

The Transaction Link between provides the end users access to the DC Environment managed by vendor.

The following Standards are designed to facilitate the security, reliability, and scalability of the Network Connectivity, via the Transaction Link, to the Environment at the  Data Center.

��� IP Addressing for the  Data Center

To avoid IP address conflicts, Vendor will only route network traffic to globally unique public IP addresses registered through one of the regional Internet registry organizations. Vendor will not route traffic to private IP addresses, including addresses in the following IP address ranges:

  • Class A: 10.0.0.0/8
  • Class B: 172.16.0.0/12
  • Class C: 192.168.0.0/16


Network Address Translation and Port Address Translation

If Organization uses private addresses, Network Address Translation (NAT) and Port Address Translation (PAT) can be used to map Organization’s private addresses to public addresses. Organization is responsible for providing the public IP addresses and for performing the NAT/PAT.

NAT and PAT Policies

One-to-one static NAT must be used for all network devices, including, without limitation, Organization’s printers or print servers to which Vendor will initiate a connection. PAT is allowed for any network device that initiates the connection with Vendor , such as user workstations connecting to the Vendor Programs.

Ports

During network initialization, Vendor will provide a list of ports that must be open on Organization’s network to establish Network Connectivity to the Environment at the Data Center. The list of required ports is specific to the type of Network Connectivity selected by Organization and will include source and destination addresses. Access through these ports is required before Vendor can begin installing or troubleshooting Network Connectivity.

 

VPN Requirements The following table lists the ports that must be enabled for Vendor to manage the Vendor VPN.

Application Name Port Protocol
Ping ICMP IP
Traceroute ICMP IP
SSH & SFTP (if applicable) 22 TCP
HTTPS 443 TCP
ISAKMP 500 UDP
IPSEC 50 IP
NTP 123 UDP

 

Additional ports may be required. During network initialization, the Network Connectivity Form will define detailed source and destination port requirements

 

Network Design Considerations

Organization should consider certain factors described in this Section when selecting a Network Connectivity design for the Transaction Link between Organization and the Data Center.


Bandwidth

Bandwidth refers to the amount of traffic to be carried through a network and must be considered by Organization when designing Network Connectivity. The amount of bandwidth required depends on the particular applications being used, the number of users concurrently accessing the Environment, and the nature of the transactions being processed. Network bandwidth must be monitored and adjusted as application usage grows and changes.

Bandwidth Considerations

Vendor recommends the bandwidth sizes listed in the following table as a starting point for network sizing.

 

Sample Application Bandwidth For Each User Concurrently Accessing the Environment
Self-service applications 4-6 kbps
Forms applications 10-12 kbps
Internal Portal 2-6 kbps
Files access 10-12 kbps
Siebel application 10-12 kbps
PeopleSoft  application 10-12 kbps

 

Organization must design its network to reduce overall network latency wherever possible. The network design should remove as much distance as possible between the End User’s locations and the application server. This can be accomplished with a network design that does not add unnecessary distance or hops between endpoints and ensuring that the network provider has the capacity available on the most efficient network cable system between the two end points.

Properly configured and sized network routers usually induce very little delay. However, the delay through routers can become a major source of overall network latency when the network connections are congested or routers are improperly configured. Organization should ensure that all network devices and links are properly sized and configured and are running optimally.

Error Rate

Organization must consider the error rate when designing Network Connectivity. All network links are subject to transmission errors such as dropped packets. A high error rate can lead to increased latency and poor network performance. Each segment in a network can experience independent errors that add to the total error rate for the entire link. To ensure that a network operates at peak performance, Organization should ensure that the end-to-end error rate does not exceed 0.01%.

Connection Types

Organization must use a Vendor -standard VPN for Network Connectivity. Vendor supplies, configures, and manages an IPSec compliant VPN device that is installed on Organization’s network. This VPN is used to establish secure Network Connectivity to Vendor over the Transaction Link.

There are various standard configurations available for the Vendor provided VPN device that may accommodate Organization’s network and security policies.

ISP Circuit Types

The Vendor standard VPN connection uses Organization’s ISP circuit. Organization should choose the type of circuit that best meets its use of the Computer and Administration Services.

Dedicated Internet Circuit

A dedicated circuit is Organization’s Internet circuit that is only used for application connection activities. A dedicated circuit can help prevent problems related to over use by isolating traffic to Vendor from Organization’s other Internet traffic. A dedicated circuit can help Organization achieve stable and predictable Network Connectivity. This option is the recommended minimum for a Transaction Link.

Shared Circuit

An Internet circuit that is used both for Network Connectivity to Vendor and Organization’s other Internet activities is called a shared circuit. If Organization selects this circuit type, Organization must ensure that the existing circuit has enough unused capacity to support Vendor traffic.

A shared circuit should only be considered for a Transaction Link if the circuit performance is highly stable and actively monitored for performance and capacity.

 

VPN Configuration


Vendor provides, configures, and manages a VPN device for an Vendor standard VPN connection over the Transaction Link. Vendor configures the VPN device based on Organization’s network topology and Vendor policies. This section describes the various VPN configurations and Vendor requirements.

The Vendor -provided VPN device has two interfaces (one external and one internal). Vendor generally uses both interfaces (dual-arm mode), but can use a configuration with only one interface (single-arm mode) as described below.

External Interface

The following guidelines apply to external interfaces:

  • The external interface must be connected to a switch between Organization’s border router and firewall.
  • The external interface may be connected to a firewall DMZ interface.
  • The external interface must not be directly connected to the Internet. The external untrusted interface should be connected to the Internet behind Organization’s border router to enable Organization to apply Access Control Lists (ACLs) to secure Organization’s Environment from unsolicited traffic.
  • The external interface must have a globally unique public IP address. Private addressing is not permitted on this interface.

Internal Interface

The following guidelines apply to internal interfaces:

  • The internal interface must be connected to a firewall DMZ interface.
  • The internal interface must not be connected to the same subnet as the external interface.
  • The internal interface must not be connected to Organization’s Internet.
  • The internal interface must have a public IP address.
  • The internal interface must not have a private IP address, unless Organization configures its firewall to use the internal interface as a transit link.

 

Dual-Arm Configuration

Vendor recommends a dual-arm configuration if Organization has or requires a DMZ port on its firewall. A standard dual-arm configuration is shown in the following diagram.

Description

A dual arm configuration uses both of the VPN device interfaces. The external (or untrusted) interface handles the encrypted traffic between Vendor and Organization over the Transaction Link. The internal (or trusted) interface is connected to a secure portion of Organization’s network and receives and transmits the unencrypted traffic.

The Vendor VPN is logically located between Organization’s firewall and Internet border router. A second connection is placed within a DMZ on Organization’s firewall.

Routing Path

When using a routing path for a dual arm configuration, layer 3 connectivity to Organization’s Environment is established by directing routes towards Organization’s firewall. This can be accomplished by either using default routing or by using routing protocols for packet redirection to the firewall. A static route that redirects traffic to the Vendor VPN is placed on Organization’s firewall.

 


Advantages

The advantages of using a routing path for a dual-arm configuration are:

  • Minimal routing changes are required.
  • All traffic is auditable by Organization using the firewall.
  • The firewall can be used for access control.

Disadvantages

The disadvantages of using a routing path for a dual-arm configuration are:

A DMZ on Organization’s firewall is required.

 

Single-Arm Configuration

A single-arm configuration may be used if Organization does not have a DMZ interface on its firewall or an available globally unique public IP address on a separate subnet. A standard single-arm configuration is shown in the following diagram.

��� Description

A single-arm configuration uses only the external interface for the VPN tunnel. The Vendor VPN is logically located between Organization’s firewall and Internet border router and both the encrypted and unencrypted traffic over the Transaction Link are handled by the single interface.

���Routing Path

When using a routing path for a single-arm configuration, layer 3 connectivity to Organization’s Environment is established by directing routes towards Organization’s firewall. This can be accomplished by either utilizing default routing or by using routing protocols for packet redirection to the firewall. A static route that will redirect traffic to the Vendor VPN is placed on Organization’s firewall.

���Advantages

The advantages of using a routing path for a single-arm configuration are:

  • Minimal routing changes are required.
  • One IP address is required for the VPN. (Note: Additional IP addresses are required to set up printing since printers require a one-to-one static NAT.)
  • One switch port is required.
  • All traffic is auditable by Organization using the firewall.
  • The firewall can be utilized for access control.

Disadvantages

The disadvantages of using a routing path for a single-arm configuration are:

  • Data flow between the firewall and the VPN is not encrypted. This weakness can be mitigated by confirming that no hosts are capable of reading traffic, the VPN equipment is in a secured location, and proper access control lists (ACLs) are created on Organization’s border router.
  • The full throughput of VPN cannot be used.

 

Vendor High Availability VPN

If required, Organization may request a high availability (HA) VPN configuration involving two VPNs. Additional fees applies. Vendor ’recommended high availability configuration provides Organization with two Vendor -configured VPN devices running in dual arm mode. A standard high availability installation is shown in the following diagram.

Description

A high availability dual arm VPN configuration uses both of the VPN device interfaces. The external (or untrusted) interface handles the encrypted traffic between Vendor and Organization over the Transaction Link. The internal (or trusted) interface is connected to a secure portion of Organization’s network and receives and transmits the unencrypted traffic

The Vendor VPN is logically located between Organization’s firewall and Internet border router. A second connection is placed within a DMZ on Organization’s firewall.

Routing Path

When using a routing path for the high availability VPN configuration, layer 3 connectivity to Organization’s Environment is established by directing Vendor routes towards Organization’s firewall. This can be accomplished by either using default routing or by using routing protocols for packet redirection to the firewall. A static route that redirects traffic to the Vendor VPN is placed on Organization’s firewall.

Advantages

The advantages of using a routing path for a high availability dual arm VPN configuration are:

    • Minimal routing changes are required.
    • All traffic is auditable by Organization using the firewall.
    • The firewall can be utilized for access control.

Disadvantage

The disadvantages of using a routing path for a high availability dual arm VPN configuration are:

A DMZ on the Organization’s firewall is required.

 

Required Ports and Protocols

Vendor requires access to the VPN device to establish and maintain Network Connectivity through the VPN tunnel. The following table lists the ports that are required to be open between Vendor and the VPN device. During VPN installation, Vendor will provide a more detailed list that contains source and destination addresses.

The following IP ports and protocols are required for establishing an IPSec tunnel, managing the Vendor -provided network equipment, and monitoring the network link to the Organization-side VPN device. Application Name Port # Protocol Comments
SSH 22 TCP Network Management for Netscreen VPN
HTTPS 443 TCP Network Management for Netscreen VPN
ICMP Ping IP Monitoring and Diagnostics
ICMP Traceroute IP Monitoring and Diagnostics
ISAKMP 500 UDP VPN Tunnel
IPSEC 50 IP VPN Tunnel
NTP 123 UDP Network Time Protocol for VPN device

 

 

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

3 Responses

  1. Socrates says:

    Amazing information. These kind of info are really handy !

  2. Shahul says:

    Nice post…Ram it would be good if you can post some stuff on Network troubleshooting…

    • Ramdev Ramdev says:

      Please browse through solaris admin and networking from the top tool bar for more information on network troubleshooting .

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us