This chapter describes network implementation concepts and details. It first describes how the multi-tier services map to networks and VLANS. Then it describes some of the more important IP services to consider when crafting architectures for multi-tier data centers:
Server Load Balancing— how to achieve increased availability and performance by redundancy of stateless applications
Layer 7 Switching— how to decouple internal applications from external references
Network Address Translation— how to decouple internal IP addresses from external references
Cookie Persistence— how to achieve stateful transactions over a stateless protocol
Secure Sockets Layer (SSL)— how to achieve secure transactions over a public network
IPMP— how to achieve network interface redundancy on servers that is transparent to applications
VRRP— how to achieve router redundancy.
The chapter then describes the logical network architecture and various physical realizations. Most important, it describes actual tested network reference implementations. It first describes the original secure multi-tier architecture and its limitations. Then it describes a second architecture based on many small multi-layer and simple Layer 2 switches and their limitations. Finally, it describes in detail a collapsed network architecture based on large chassis-based switches. It is important to note that these designs are vendor independent and could have been realized by Cisco, Nortel, and other similar vendors or combinations thereof.
Network Equipment Providers usually implement standard Layer 2 and Layer 3 functions using ASICs and there are few differences in their basic implementations. However, additional features such as load balancing can differentiate vendors significantly in how their products actually impact the network architecture. We explore two vendors and describe reference implementations that were configured and tested. We then describe where it makes sense to use each design. We also discuss how to create virtual firewalls between tiers to increase the level of security without sacrificing wirespeed performance. In particular, we describe the tested configuration of Netscreen firewall and show how one box can be configured to create virtual firewalls, segregating and filtering inter-tier network traffic.