Version 1.5

Chapter 2 Installing Network Devices Prescriptive Architecture Guide

Abstract The network architecture forms the basis for any e-commerce platform. This document describes the implementation process for installing networking devices for the Partner led

Microsoft® Systems Architecture (MSA) Internet Data Center (IDC).

Copyright © 2002 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. Trademark Information EMC2, EMC, and Symmetrix are registered trademarks and EMC Enterprise Storage, The Enterprise Storage Company, The EMC Effect, Connectrix, CLARiiON, EMC ControlCenter, ESN Manager,and EMC Navisphere are trademarks of EMC Corporation. Microsoft, Windows, Windows NT, Active Directory, ActiveX, JScript, NetMeeting, SQL Server, and Visual Basic are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

CONTENTS

INTRODUCTION ..................................................................1 Design Considerations 1 System Prerequisites 2 Internet Connectivity 2 IP Addresses 2 Domain Name System 3 VLAN Numbering 4 Hardware Components 4 Configuration Sequence 5 EDGE ROUTERS: JUNIPER M5 ..............................................6 Baseline 6 Configuring the Router 6 To build a router configuration file: 7 Installing the Edge Router 9 Installing the Edge Router in the IDC Architecture 9 Router Configuration 9 Basic Configuration 9 Interface Configuration 10 Default Route Configuration 10 Router Naming 10 Failover Internet Connectivity on the Routers 11 Border Gateway Protocol 11 Virtual Router Redundancy Protocol 12 Configuring Routers for VRRP 14 Securing the Edge Router 15 Using System Logs 15 Securing the Management interface on the Juniper Router 15 NORTEL NETWORKS PASSPORT 8600 ................................16 Baseline Passport 8600 Configuration 17 Installing the Passport 8600 Switch 18 Configuring Passport 8600 18 Building the Configuration File 18 Logging on to Passport 8600 19 Uploading the Switch Configuration from the CLI 19 Switch Configuration Notes 21 Basic Switch Configuration 21 Configuring Ports on the 10/100 Ethernet Blades 22 Creating VLAN Segments 24 Removing a VLAN 24 Creating a Banner 25 VLAN Redundancy on Passport 8600 25 Inter-VLAN Communication 26 Changing the Boot Configuration File 27

Booting the Switch into the Changed Boot Configuration Securing Inter-VLAN Communication Routing Configuration Notes Configuring a VLAN for Layer 3 Capability Configure a VLAN for VRRP Capability General Routing Configuration Configuring Layer 3 Redundancy within the Switch

28 28 28 28 28 28 29

CONFIGURING THE ALTEON WEB SWITCH MODULE...........30 ORDERING THE INTERNET DATA CENTER CONFIGURATION ...........................................................33 Edge Router – Juniper 33 Nortel Passport 8600 34 SUMMARY .........................................................................35 More Information 35 APPENDIXES.....................................................................36 Appendix 2.1 – Network Diagram 36 Appendix 2.2 – Router Configuration 36 Appendix 2.3 – Deployment Switch Configurations 36 Appendix 2.4 – Production Switch Configurations 36 Appendix 2.5 – WSM Configuration 36

INTRODUCTION

This document builds upon the fundamentals of the Internet Data Center presented in Chapter 2, “Network Infrastructure Design” in the Reference Architecture Guide of this documentation series. It describes the actual implementation of the network infrastructure and contains appendices that provide device configurations. Business continuity is an extremely important concept and the design of a network must take into account contingency for single points of failure (SPOFs). Each section describes the process of installing redundant equipment and required feature sets to provide for reasonable fail over. This document assumes that the reader has a basic understanding of networking terminology and is experienced with Nortel Networks and Juniper Networks network equipment, such as routers and switches. It is best to review this document while having access to the Internet as there are several references to Web-based information resources.

Design Considerations The Internet Data Center was created with the following aspects of network design considerations: •

Reliability. Conducting e-commerce by exploiting the Internet introduces elements beyond your control that can affect the availability of an e-commerce site. Using redundant components to incorporate high-availability protocols, and redundant and diversely routed paths to an Internet Service Provider (ISP) or diverse ISPs, removes single points of failure within your control.

•

Security. Connecting to the Internet to facilitate sales also introduces the potential risk for your resources to become defaced or damaged by unwanted elements. Damage might also occur from the internal portion of your network. The Internet Data Center is designed to mitigate these risks by segmenting the network and controlling traffic flow between segments.

•

Scalability. The infrastructure must be able to grow as your company and its infrastructure grows.

•

Resource usage. If you spend money on a resource, you want it to actively work for you. Where possible, network components within the Internet Data Center are configured to play an active role in managing network traffic.

•

Expense. The Internet Data Center was designed to maximize availability while minimizing cost.

•

Complexity. The infrastructure implements simple solutions whenever possible.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

1

•

Performance. The Internet Data Center balances performance goals against each other with the aim of simultaneously providing the most convenient access, the fastest recovery time, and the least amount of downtime.

For more information regarding design considerations and other details that will provide insight into the Internet Data Center network, refer to the chapter, “Network Infrastructure Design” in the Reference Architecture Guide of this documentation series.

System Prerequisites Before implementing this infrastructure, it is important to establish Internet connectivity and obtain routable Internet Protocol (IP) addresses, implement a Domain Name System (DNS), and acquire the necessary hardware components. Internet Connectivity

Internet connectivity is provided through an Internet service provider (ISP). Important things to consider when selecting an ISP are: •

Site Access. This is the access from your site to the ISP. An ISP is a valuable resource that helps you determine your initial access needs and accommodates your future requirements.

•

Internet Access. This is the access from the ISP to the Internet. ISPs typically purchase large amounts of access (bandwidth) to the Internet through a Network Access Point (NAP). This large amount of access is divided into smaller amounts of access such as site access. The type of access and the amount that will be available to you is an important factor.

•

Service Level Agreement. This is an agreement between you and the ISP, the purpose of which is to define the performance expectations of your access to the Internet through the ISP, and the actions that must be taken if those expectations are exceeded or not met.

•

Technical support. You need to determine the level of technical support that will be made available to you. The ISP typically agrees to provide 24x7 support, either included in their service or at an additional cost.

•

Price. Although important, price should not be the sole reason for choosing an ISP.

IP Addresses

It is essential to determine the IP addresses that each component will use, before you build the infrastructure. The IP addressing scheme for implementing an e-commerce solution involves both public and private IP addresses.

2

Microsoft Systems Architecture Internet Data Center

Public addresses are used by customers to reach your site. These addresses are considered “external” with respect to the architecture. At the very least, the architecture requires a contiguous block of 32 public IP addresses (also known as a “/27”). Public IP addresses are typically arranged through your ISP. Private IP addresses are used within the architecture by the components that do not require direct access from the Internet, and by design are not able to route across the Internet. Within the IDC architecture, subnets are employed and created from the private supernet 192.168.0.0 /16. For example, 192.168.11.0 /24 and 192.168.12.0 /24. Private IP addresses have been designated by the Internet Assigned Numbers Authority (IANA) to be used freely for internal use only. The following is a list of the addresses designated by IANA as private and that can be used anywhere within the internal portion of any infrastructure: •

10.0.0.0 – 10.255.255.255

•

172.16.0.0 – 172.31.255.255

•

192.168.0.0 – 192.168.255.255

To enable internal devices to correspond across the Internet, a private IP address must be translated into a public address using Network Address Translation (NAT). Domain Name System

For potential customers to reach your site by name (such as http://example.nortelnetworks.com) rather than use your IP address, you need to acquire a name for your domain (public IP address space). You can acquire a domain name on your own through a domain name registration provider, such as Network Solutions, or by working with your ISP. To acquire a domain name for your site, you must also determine if you need to host your domain name or have your ISP do this for you. One advantage of hosting your domain name is that you can directly administer any required changes. The biggest disadvantage of hosting your own domain name is the added complexity and expertise required to perform such a task. The additional expertise and equipment required to host your own domain name are beyond the scope of this document.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

3

VLAN Numbering

VLAN numbering in this chapter differs from what is detailed in the IDC Reference Architecture Guide (RAG). Please reference the following matrix for VLAN comparison between the RAG and what is used in the Partner Solution. Note VLAN numbering may differ based on your existing configuration. VLAN Function

RAG Numbering

Partner Solution Numbering

Web/DNS Internal VLAN

11

18

SQL Cluster & Management VLAN

12

12

Infrastructure Server VLAN

13

13

Remote Management VLAN

14

17

Router & Perimeter firewall VLAN

16

200

Perimeter firewall & External DNS VLAN

21

16

Web Cluster 1 VLAN

22

16

Web Cluster 2 VLAN

23

N/A

Hardware Components

As shown in Figure 2.1, the Internet Data Center network infrastructure has been built with the following components: •

Nortel Networks Passport 8600 switches

•

Nortel Networks Alteon Switched Firewalls

•

Nortel Networks Contivity 4600

•

Juniper Networks M5 Routers

These devices are discussed in detail in subsequent sections of this document. It is assumed that the Nortel Networks equipment, along with physical plant requirements, such as equipment racks, power, and cabling, are acquired prior to implementation.

4

Microsoft Systems Architecture Internet Data Center

Configuration Sequence The subsequent sections of this document describe how to configure the Nortel infrastructure components. The components are presented in this document in a top-down sequence, as shown in 2.1.

ISP1

ISP2

R R T E K R O W T E S K R M M L L IP n rN te sW c o rS roN te sO c rL o P 0/3 P IC /2 P 0 IC IC /1 P 0 / In 0 IC /3 P 0 IC IC /2 0P /1 P 0 IC 0/ IC T G M T G M S N O C EP L C S N O E A O /M X U E D U A D O /M X EP unp J i e r

unp J i e r

M M 5 5 M M 5 5

M M 5 5 M M 5 5

Perimeter Firewalls

VLAN 16

T E N R O W S K TL R E

T E N R O W S K TL R E

DMZ

D S

Ac e la r8 0 1 0

D S

Ac e la r8 0 1 0

Infrastructure

SD Web Server Farm DNS

SD

VLAN 13

Domain Controllers

0 0 1 4 0 -2 ~ V 4 7 3 H -4 z .0 A 2 1

4 0 7 1 0 3 -4 2 H z0 ~ V .0 A 2 1

Application Servers

0 0 1 4 0 -2 ~ V 4 7 3 H -4 z .0 A 2 1

0 0 1 4 7 2 H 3 -4 0 ~ zV .0 A 2 1

Switches VLAN 18 VLAN 17

Internal Firewalls Management Console Server

DRAC Network

Tools VLAN 12

Data and Management Backup Server Management Servers Database Servers

VPN Firewalls

Figure 2.1 Hardware Components Logically Connected

For information on deploying the Alteon Switched Firewalls, see Chapter 8, “Deploying the Firewalls,” of this guide.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

5

EDGE ROUTERS: JUNIPER M5

The Juniper M5 edge router provides network routing between an ISP and the Internet Data Center. The edge router routes all data between the center and an ISP and provides the first line of security between the Internet Data Center and the Internet. This section describes the process of installing and securing the Juniper M5 edge router.

Baseline The baseline configuration of the Juniper M5 routers used in the Internet Data Center includes the hardware and software shown in Table 2.1. Table 2.1. Juniper M5 Baseline Configuration

Model Juniper M5

Description 4 slot multiservice access router, with optional 4port fast Ethernet module.

Part Number 750-002992

Software Version JUNOS 5.1

You will learn more about the baseline hardware and software configuration in the “Ordering the Internet Data Center Configuration” section of this chapter. Note Table 2.1 displays the sample configuration used in the Internet Data Center lab environment. Your requirements may be different.

Configuring the Router To configure the Juniper M5 router, you need to complete the following steps: •

Build a configuration file

•

Log on to the router

•

Upload the configuration

The following sections look at these steps in detail.

6

Microsoft Systems Architecture Internet Data Center

Building a Router Configuration File The first stage is to build a suitable router configuration file. To build a router configuration file:

1. Open a text editor such as Notepad. You use a text editor to create the configuration file. Copy the sample router configuration provided in Appendix 2.3 and paste it into the text editor window. Note Appendix 2.3 contains both primary and secondary router configurations. 2. Update the sample router configuration to reflect the particular properties of your network, such as subnet mask, IP addresses, and firewall filters. Make a copy of this file and store it in a safe place for disaster recovery. Remember that you must configure the router interfaces with the IP addresses of your own network. You must make these changes to the router configuration using a text editor before you move to the next step. See subsequent sections of this document for instructions on how to configure password and interface. For complete instructions, see the technical documentation available from the Juniper Web site at: http://www.juniper.net/techpubs Logging on to the Router Use the provided serial cable to initially configure the router. Set up a terminal session (9600, N, 1) to the console port of the router. To log on to the router: 1. Log on as root with no password. 2. Type in the keyword CLI at the prompt.

Amnesiac (ttyd0) Login: root Password: Last login: Wed Aug 15 16:54:42 on ttyd0 --- JUNOS 4.3R1.4 built 2001-01-19 07:26:27 UTC

% %CLI root> root> Figure 2.2 Sample Configuration Output

Note Due to the security implication of attaching a modem to the edge router, the Internet Data Center architecture does not include this method of administrative access.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

7

Uploading the Router Configuration After you have logged on to the router, you can upload a previously created configuration for the Juniper M5 edge router. To create a configuration file from a previously created configuration file:

1. To enter the configuration mode, type configure and then press ENTER. 2. Open the configuration file in Notepad and copy the configuration information to the Clipboard. 3. Revert back to the router configuration window, and clear any active configuration by typing delete and then pressing ENTER. 4. Type commit. 5. While still in configuration mode, type load override terminal. Press ENTER and wait for prompt. Now paste the edge router configuration (modified at step 2 of “Building a Router Configuration File,” above) from Notepad into this window. After the router configuration is pasted into the window, press [CTRL+D]. This will exit the input mode. 6. To verify the configuration, type show and press ENTER. 7. To commit and save this configuration, type commit and press ENTER. 8. To save the file with the filename production.cfg, type save production.cfg. Amnesiac (ttyd0) login: root Password: Last login: Wed Aug 15 16:54:42 on ttyd0 --- JUNOS 4.3R1.4 built 2001-01-19 07:26:27 UTC %cli root> configure Entering configuration mode [edit] root# load override terminal [Type ^D to end input] < copy and paste edited router configuration here> ^D load complete [edit] admin@Juniper-B# commit commit complete [edit] root@hostname# save production.cfg root@hostname# Figure 2.3 Sample Configuration Output

8

Microsoft Systems Architecture Internet Data Center

9. Create the root password and additional logon accounts. root@hostname# set system root-authentication plain-textpassword New password: Retype new password: root@hostname# set system login user class superuser authentication plain-text-password Figure 2. 4 Sample Configuration Output

10. Commit the changes. root@hostname# commit Figure 2.5 Sample Configuration Output

For more information about this procedure, refer to the JUNOS Configuration Guide, which is available from Juniper at: http://www.juniper.net/techpubs

Installing the Edge Router Before configuring the edge routers, ensure they are installed and connected as described in the Juniper M5 Hardware Installation Guide. This guide is packaged with the routers, in book form or on a compact disc. Both these documents are also available online at the Juniper Web site (http://www.juniper.net/techpubs). Installing the Edge Router in the IDC Architecture

1. Connect the ISP cable: a.

If the ISP provides a SONET/ATM/DS3 connection, verify and configure the appropriate protocol and connect it to the interface on the router. b. If the ISP provides an Ethernet connection, connect the ISP Ethernet cable to the first Ethernet interface on the router, named fe 0/0/0. 2. Connect a cable from the next Ethernet port on the edge router to the Nortel Passport 8600.

Router Configuration The following sections describe the different areas of router configuration. This information helps you understand the reasons and methods for making certain selections in router configuration in the Internet Data Center. Basic Configuration

The following section addresses the basic configuration of routers as implemented in the Internet Data Center.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

9

Interface Configuration

Configure the router interfaces using interface hierarchy commands. For the Internet Data Center architecture, only fast Ethernet ports were used. The syntax to construct an interface configuration within the interface hierarchy is as follows:

user@host> configure user@host#set interface fe-0/0/0/ unit 0 family inet address ip-address/mask-bits user@host# show user@host# commit As a result of this command, the interface hierarchy will appear in the configuration as:

interfaces { fe-0/0/0 { unit 0 { family inet { address ip-address/mask-bits; } } } } For more information on configuring interfaces, refer to the Web site: http://www.juniper.net/techpubs Default Route Configuration

Use the commands associated with the routing-options hierarchy to enter a default route to the gateway router.

user@host# set routing-options static route 0.0.0.0/0 next-hop user@host# commit As a result of this command, the routing-options hierarchy appears in the configuration as: routing-options { static { route 0.0.0.0/0 next-hop ip-address-of-gateway; } } Router Naming

Name the router by using the following system hierarchy commands:

user@host# set system host-name your-hostname user@host# commit As a result of this command, the system hierarchy appears in the configuration as: system { host-name your-hostname; }

10

Microsoft Systems Architecture Internet Data Center

Failover Internet Connectivity on the Routers

To achieve reliable connectivity to and from the external edge of the Internet Data Center environment, you use redundant routers and links and employ a dynamic routing protocol. Virtual Router Redundancy Protocol (VRRP) can also be used to provide redundant exit points for the servers in the Internet Data Center network. Border Gateway Protocol

Depending on the routing architecture of the Internet Data Center, you can use Border Gateway Protocol (BGP) to provide redundant links to multiple service providers. The configuration of BGP is case-dependent. For a successful BGP implementation, you need to consider dependencies specific to each Internet connection. These issues are best handled when coordinating Internet connectivity with an ISP. In fact, the ISPs may be better positioned to run BGP on your behalf. Many companies use multiple ISP providers to prevent critical reliance on a single provider and their inherent network problems. Other companies use multiple diversely routed connections to a single provider’s network. Redundant Juniper M5 edge routers provide continuity, optimized routing, and reliability by using standard dynamic routing protocols, such as BGP. As defined in RFC 1771, BGP provides loop-free inter-domain routing between autonomous systems. An autonomous system (AS) is a set of routers that operates under the same administration, and requires a registered AS number. BGP is often run among the networks of ISPs. An AS must be set up for a company by the ISP. For more information on obtaining an AS number, refer to the Web site http://www.arin.net/templates/asntemplate.txt Configuring a Router for BGP 1. To enable BGP routing, configure the routing options hierarchy by entering the following commands:

user@hostname# edit routing-options [edit routing-options] user@hostname# set autonomous-system 2. Define BGP neighbors. BGP supports internal and external neighbors. Internal neighbors are in the same AS, whereas external neighbors are in different AS. Typically, external neighbors are adjacent to each other and share a subnet, while internal neighbors are anywhere within the same AS. Configure the protocol hierarchy using the following syntax:

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

11

user@hostname# edit protocols bgp group group-name [edit protocols bgp group group-name] user@hostname# user@hostname# using EBGP user@hostname# user@hostname# from user@hostname#

set type IBGP-or-EBGP set peer-as peer-or-ISP-AS-number-ifset neighbor ip-address-of-neighbor set local-address ip-address-to-peerset local-as local-AS-if-using-EBGP

For more information on BGP configuration on the Juniper M5 router, refer to the Juniper Web site (http://www.juniper.net/techpubs). Virtual Router Redundancy Protocol

The Virtual Router Redundancy Protocol (VRRP) provides automatic router redundancy over Ethernet Local Area Networks (LANs). VRRP allows a backup router to automatically assume the function of the primary router if the primary router fails. VRRP uses a priority scheme to determine which VRRP-configured router is the primary active router. To configure a router as the primary active router, you assign the router a priority higher than the priority of all other VRRP-configured routers. The default priority is 100. Therefore, you need to configure just one router with a priority greater than 100 to assign that router as the primary active router. VRRP works by exchanging multicast messages that advertise priority among VRRP-configured routers. VRRP-configured routers exchange three types of multicast messages: •

Hello. The hello message conveys the router's VRRP priority and state information to other VRRP routers. By default, a VRRP router sends hello messages every three seconds.

•

Coup. When a standby router assumes the function of the active router, it sends a coup message.

•

Resign. An active router sends the resign message when it is about to shut down or when a router that has a higher priority sends a hello message.

When the active router fails to send a hello message within a configurable period of time, the standby router with the highest priority becomes the active router. The transition of packet-forwarding functions between routers is completely transparent to all hosts on the network. At any time, VRRP-configured routers are in one of the following states:

12

•

Active: The router is performing packet-transfer functions.

•

Standby: The router is prepared to assume packet-transfer functions if the active router fails.

Microsoft Systems Architecture Internet Data Center

•

Speaking and listening: The router is sending and receiving hello messages.

•

Listening: The router is receiving hello messages.

For more information about VRRP, refer to the following Web sites: http://www.juniper.net/techpubs http://www.ietf.org/rfc2338.txt In the IDC architecture, one Juniper M5 is in active state and the other is in standby state.

ISP

ISP Juniper M5 A

Juniper M5 B

fe-0/0/0

fe-0/0/1

VRRP Area

fe-0/0/0

fe-0/0/2

fe-0/0/2

fe-0/0/1

VLAN 200

Figure 2.6 Routers using VRRP in the Internet Data Center

In addition to providing redundant router-gateway functionality, the Internet Data Center VRRP implementation also monitors the state of the uplink ports. For example, the uplink port fe-0/0/0 can lower the priority of the VRRP interface in the event of an uplink port failure. This technique, also known as interface tracking, adjusts the priority of a VRRP interface depending on the state of the tracked-interface. Both routers have the VRRP configured to track their respective fe-0/0/0 interfaces. When a fe-0/0/0 interface changes state, the VRRP priority of the fe-0/0/1 interface is lowered by a certain value from the default value of 10. This newly calculated lower priority is then shared with other VRRP peers and compared with existing priority states. If the VRRP priority value of peer routers is greater than the lowered value, the peer router takes over as the master of the VRRP virtual IP address. For example, M5-A has a VRRP priority value of 105 and M5-B (peer) has a VRRP priority value of 100.In this case, M5-A is the master. If the fe0/0/0 interface on M5-A fails, the VRRP priority of this router changes to 95. M5-B that has a priority value of 100 becomes the master router.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

13

Configuring Routers for VRRP

To configure routers for VRRP, perform the following steps: 1. Enable VRRP by using the interfaces hierarchy commands as in the following example:

fe-0/0/1 { unit 0 { family inet { address 192.168.9.6/24 { vrrp-group 10 { authentication-type md5; authentication-key InternetDataCenter#ENCRYPTED#; advertise-interval 1; hold-time 3000; virtual-address 192.168.9.5; priority 100; track { interface fe-0/0/0 prioritycost 120; } } } } } } 2. Configure preshared key authentication using the MD5 algorithm and create an encoded checksum of the packet. The checksum is placed in the TCP header and the preshared key of the receiving router is used to decode the checksum. authentication-type md5 Note This is an optional step. 3. Create the preshared key that will be used by all neighbors participating in secured VRRP.

authentication-key INSERT-YOUR-KEY 4. Set the Hot Standby priority used in selecting the active router. For this, use the priority command with the following syntax:

priority 5. Configure the interface to track other interfaces. Therefore, if one interface goes down, the Hot Standby priority of that device is lowered. For this, use the track statement with the following syntax:

set interface priority-cost More details on VRRP configuration can be found at the Juniper Web site (http://www.juniper.net/techpubs).

14

Microsoft Systems Architecture Internet Data Center

Securing the Edge Router Proper configuration of the edge router includes protecting the router and the Internet Data Center network against malicious users by using security commands. You secure the edge router by creating access control lists and system logs. Sample configuration commands have been provided in 3.2, and are discussed here.

Using System Logs

You configure system logging within the system hierarchy. You can employ several variables depending on the logging requirements of your organization. Some of these variables are filename, file size, event classification, and remote logging. For more information on developing a logging strategy for your organization, refer to the Juniper Web site (http://www.juniper.net/techpubs).

Securing the Management interface on the Juniper Router Administrators should configure the Juniper router to accept SSH or Telnet sessions from a known management IP network. This prevents malicious users from gaining access to the Junos CLI.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

15

NORTEL NETWORKS PASSPORT 8600

The Nortel Networks Passport 8000 series of switches comprise three product groups: •

Passport 8100 (Layer-2 functionality)

•

Passport 8600 (Layer-2 and Layer-3 functionality)

•

Passport 8600 w/WSM (Layer-2 through layer-7 functionality)

Each group of products contains similarly configured equipment. However, the only common link between the two groups is the chassis. Modules for one group cannot coexist with those of the other group.

Figure 2.7 Nortel Networks Passport 8600

As shown in Figure 2.7, the Nortel Networks Passport 8600 is a routing switch that provides IP Layer 2-3 switching for the various server groups within the Internet Data Center. Systems connected to the Passport 8600 are grouped by VLAN segments. VLAN segments are logically isolated from each other. Inter-VLAN communication passes through a virtual router (Layer-3). This is known as Multi-Layer Switching (MLS), and provides for Layer-3 (IP routing) connectivity. The Passport 8600 switch configures the Layer2 switch functionality and Layer-3 IP router functionality within the same console.

16

Microsoft Systems Architecture Internet Data Center

Baseline Passport 8600 Configuration The baseline configuration of the Passport 8600 used in the Internet Data Center includes the following hardware and software. For network redundancy, you need two physical devices. Table 2.4. Passport 8600 Baseline Hardware and Software Configuration

Model

Qty

Description

Hardware Version

Software Version

8010

2

Passport 8600 10 slot Chassis

N/A

N/A

8690SF

4

Switch Fabric

N/A

3.2.1.0

8608SX

4

8 Port SX Gigabit Ethernet

N/A

N/A

8648TX

6

48 Port 10/100TX Ethernet

N/A

N/A

WSM

2

Alteon Web Switch Module

N/A

9.0.25

For more information, refer to the “Ordering the IDC Configuration” section of this document. Table 2.5 shows the actual placement of modules within the 10-slot chassis: Table 2.5. Module Placements

Slot

Module / Card

Slot

Module / Card

1

WSM

10

2

8608SX

9

3

8648TX

8

8608SX

4

8648TX

7

8648TX

5

8690SF

6

8690SF

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

17

Installing the Passport 8600 Switch Before configuring Passport 8600, ensure that the switch, modules, and power supplies are installed and connected as described in the Installing the Passport 8010 Chassis and Installing Passport 8600 Modules guides. These guides are packaged with the chassis, as either a book or a CDROM. The latest versions of this documentation can be found on the Nortel Networks Web site: http://www.nortelnetworks.com.

Configuring Passport 8600 To configure the Layer-2 switching and Layer-3 routing functionality of Passport 8600, you need to build a configuration file using the configuration tools supplied with the unit. This configuration file is then copied to the switch and activated. Building the Configuration File

For simplicity, you can use the sample Passport 8600 configuration provided in 2.4 a template for this configuration. However, you will need an engineer to replace all site-specific information, such as IP addresses, VLAN information, passwords, and so on. Remember that you must maintain backup copies of the configuration at all times for configuration management. If configuration files contain password information, you need to be careful about allowing file access and file storage to avoid potential security breaches. Therefore, a configuration management system is highly recommended. To build the configuration files needed during deployment:

1. Open a text editor such as Notepad. You use a text editor to create the configuration file. Copy the sample switch configuration provided in Appendix 2.4 and paste it in the text editor window. Note Appendix 2.4 contains both primary and secondary switch configurations for deployment.

2. Edit the file to reflect the particular properties of the target network, such as IP addresses, subnet masks, and passwords. Save the file and make a backup of this file using a version control style naming convention such as config-v1-1-0.cfg. Store this file in a safe place.

18

Microsoft Systems Architecture Internet Data Center

Logging on to Passport 8600

Initial configuration of the Passport 8600 is performed at the console port using a terminal emulator such as HyperTerminal, a special serial cable supplied with the unit, and the privileged username and password. This console port connection provides a Command Line Interface (CLI) to Passport 8600. For information on how to set up the terminal session to communicate with the Passport 8600 and the necessary CLI commands, refer to the Nortel Networks Passport 8600 documentation. Uploading the Switch Configuration from the CLI

For configuring Passport 8600 using TFTP from the CLI, you need to perform the following steps: 1. Ensure that only the primary processor is active and the secondary processor is pulled out. 2. Connect your management system to the switch processor using a serial cable to the Console port and a network cable (RJ-45) for Management port. 3. Change the IP address on the management system to an IP to be used for switch management. (For example, IP: 10.0.0.10 and Subnet Mask: 255.255.255.0). 4. Log on to the switch. The default user name and password are both set to rwa. 5. Reset the switch using the reset –y command from the serial connection. 6. When you are asked to stop autoboot, press Enter to halt the process. This places you in the boot monitor. Note Before transferring files, you need a computer running a TFTP server. You can download several free TFTP servers on the Internet. Next you will need to connect to the Passport’s Switch Fabric module using an Ethernet cable. Your Ethernet cable needs to be plugged into the management port on the module. 7. Using the monitor, type net mgmt info to view the current net management configuration of the boot monitors. 8. To configure the net mgmt port for TFTP and other management needs, assign an IP address to the port. a.

To set the port interface address on the switch, use the net mgmt ip command from the boot monitor.

Monitor: net mgmt ip For example, net mgmt ip 10.0.0.1/24

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

19

b.

To set the TFTP server IP address for the switch, add the IP address that you set in step 3 into the monitor using the net mgmt tftp command.

Monitor: net mgmt tftp For example, net mgmt tftp 10.0.0.10 9. After applying the management changes, save the changes using the save command.

Monitor: save 10. Make sure that the TFTP server is running on the management system and points to the folder containing the configuration files in the “Building the Configuration File” section. 11. Copy the configuration file from your TFTP server to the switch processor’s “Flash” as config.cfg using the copy command.

Monitor: copy : file /flash/config.cfg 12. To load your current image file and new configuration file, type boot.

Monitor: boot 13. Log on to the switch. The default user name and password are both set to rwa. 14. Type show config to verify that the changes have been made. 15. Type show ip vrrp info for information about the VLAN gateway. 16. To replicate the changes to the secondary processor, insert the secondary processor. 17. Next, use the following command:

save config standby /flash/config.cfg 18. Type reset –y and press Enter. 19. Log on to the switch. The default user name and password are both set to rwa. 20. You will see the @ sign in front of the prompt. This indicates that you are logged on to the secondary processor. For example, @MSA_TOP#. 21. Connect your management system to the secondary switch processor using a serial cable to the Console port and a network cable (RJ-45) for Management port. 22. Log on to the switch. The default user name and password are both set to rwa.

20

Microsoft Systems Architecture Internet Data Center

23. Type show config to verify that the changes have been made. 24. Type show ip vrrp info for information about the VLAN gateway. Repeat this procedure for each Passport 8600 used in the Internet Data Center while ensuring that you apply device-specific configurations. You can now connect Passport 8600 to other equipment and test it.

Switch Configuration Notes The following sections contain information about specific areas of the switch configuration. This information helps you understand the methods and reasons for selecting a specific switch configuration. Basic Switch Configuration

You can use the following logical sequence of commands to configure the switch. These same commands are used in the sample configuration in Appendix 2.4 Global system settings include system name, time and date, system prompt, and passwords. To configure the global settings, use the following commands and syntax:

1. Set the system name by using the config sys set command. MSA_BOT:5# config sys set MSA_BOT:5/config/sys/set# name system name

2. Set the current date and time by using the config setdate command.

MSA_BOT:5# config MSA_BOT:5/config# setdate MMddyyyyhhmmss 3. Set console password by using the following command:

MSA_BOT:5# config cli password MSA_BOT:5/config/cli/password# access login password MSA_BOT:5/config/cli/password# info ACCESS LOGIN PASSWORD rwa rwa rwa rw rw rw l3 l3 l3 l2 l2 l2 l1 l1 l1 ro ro ro

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

21

MSA_BOT:5# config sys set MSA_BOT:5/config/sys/set# name MSA_TOP MSA_TOP:5/config/sys/set# MSA_BOT:5/config# setdate 11012001203200 Local time: THU NOV 01 20:32:00 2001 UTC Utc time: THU NOV 01 20:32:00 2001 UTC MSA_BOT:5# config cli password MSA_BOT:5/config/cli/password# rwa Nortel Networks MSA_BOT:5/config/cli/password# info ACCESS LOGIN PASSWORD rwa Nortel Networks rw rw rw l3 l3 l3 l2 l2 l2 l1 l1 l1 ro ro ro

Figure 2.9 Sample Output when Configuring the Global Settings

Configuring Ports on the 10/100 Ethernet Blades

Specific port configuration can vary depending on the interface of the hosts being connected. Remember that the speed and duplex settings configured on the switch must match the settings of the interface on the host to be connected. We recommend setting everything to autonegotiate. To configure the ports on the switch: 1. Set the port speed of the interface. Use configure Ethernet to force the speed and duplex of the port, or to set it to autonegotiate.

MSA_BOT:5# config ethernet slot/port MSA BOT:5/config/ethernet/slot/port# auto-negotiate enable Or MSA_BOT:5/config/ethernet/slot/port# auto-negotiate disable MSA_BOT:5/config/ethernet/slot/port# duplex full MSA_BOT:5/config/ethernet/slot/port# speed 100 2. Enable the port.

MSA_BOT:5# config ethernet slot/port MSA_BOT:5/config/ethernet/1/1# state enable

22

Microsoft Systems Architecture Internet Data Center

MSA_BOT:5# config ethernet slot/port MSA_BOT:5/config/ethernet/slot/port# auto-negotiate enable|disable MSA_BOT:5/config/ethernet/slot/port# duplex full MSA_BOT:5/config/ethernet/slot/port# speed 100 MSA BOT:5/config/ethernet/slot/port#info Port slot/port: lock : false name : auto-negotiate : true enable-diffserv : false access-diffserv : false qos-level : 1 unknown-mac-discard : disable default-vlan-id : 1115 tagged-frames-discard : disable perform-tagging : disable untagged-frames-discard : disable state : up linktrap : enable multicast rate-limit : disabled broadcast rate-limit : disabled MSA_BOT:5# config ethernet 4/48 MSA_BOT:5/config/ethernet/4/48# auto-negotiate enable|disable MSA_BOT:5/config/ethernet/4/48# duplex full MSA_BOT:5/config/ethernet/4/48# speed 100 Figure 2.10 Sample Output While Configuring a Port

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

23

Creating VLAN Segments

Typically, each VLAN in an IP network is associated with a single IP subnetwork. Therefore, all hosts in a given VLAN belong to a single subnet, use the same subnet mask, and use the default gateway connected to that subnetwork. The servers in the Internet Data Center architecture are grouped and assigned to VLAN based on the functions they perform and their relative positioning on the inner or outer network. To configure VLAN on the switch, use the following commands and syntax: 1. Create a VLAN and assign ports by using the config vlan command. MSA_BOT:5# config vlan vlan-number MSA_BOT:5/config/vlan/vlan-number# create byport 1 MSA_BOT:5/config/vlan/vlan-number# ports MSA_BOT:5/config/vlan/vlan-number/ports# add slot1/port1slot2/port2,slot3/port3-slot4/port4

2. Verify the configuration of the VLANs. MSA_BOT:5# show vlan info all

Note The IDC uses VLANs 12 through 18, and 200. Removing a VLAN

To remove a VLAN from the Passport 8000, use the following command and syntax: MSA_BOT:5# config vlan vlan-number MSA_BOT:5/config/vlan/vlan-number# del

MSA_BOT:5# config vlan 18 MSA_BOT:5/config/vlan/18# create byport 1 MSA_BOT:5/config/vlan/18# ports MSA_BOT:5/config/vlan/18/ports# add 1/1-1/2,4/1-4/24 MSA_BOT:5# show vlan info all MSA_BOT:5# config vlan 18 MSA_BOT:5/config/vlan/18# del

Figure 2.11 Sample Output when Configuring and Removing a VLAN from Passport 8600

24

Microsoft Systems Architecture Internet Data Center

Creating a Banner

The banner message appears when you are attached to the switch and before you enter the password. The message should make it clear that unauthorized access is prohibited. To create a banner message, use the cli banner add command with the following syntax: MSA BOT:5/config/cli/banner# add

This command adds lines of text to the CLI login banner. The parameter is an ASCII string from 1 to 1024 characters. MSA BOT:5/config/cli/banner# defaultbanner

This enables or disables using the default CLI login banner. MSA BOT:5/config/cli/banner# delete

This deletes an existing customized login banner. MSA BOT:5/config/cli# defaultlogin

This enables or disables default logon banner using the default login string. The parameter disables the default logon banner and displays the new banner. MSA BOT:5/config/cli# loginprompt

This changes the CLI logon prompt. The parameter is an ASCII string from 1 to 1024 characters.

MSA_TOP:5/config/cli/banner# add "This is a private system - KEEP OUT!" MSA_TOP:5/config/cli/banner# defaultbanner false MSA_TOP:5/config/cli/banner# info Sub-Context: Current Context: defaultbanner : false custom banner : This is a private system - KEEP OUT! Figure 2.12 Example of Creating a Banner Message

VLAN Redundancy on Passport 8600

In VLANs, you provide redundancy by connecting the servers to separate Passport 8600 switches and using adapters in “teaming” mode. Gigabit Multilink Trunks between the two switches accommodate trunking. This provides alternate paths for the teamed servers, in case a switch fails or loses connection. VLAN redundancy has been implemented in the Internet Data Center architecture as shown in Figure 2.13.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

25

Figure 2.13 Redundant Switches with Gigabit Multilink Trunking

Gigabit Multilink Trunking Gigabit Ethernet port bundles allow you to group multiple Gigabit Ethernet ports into a single logical transmission path between Switch A and Switch B. The switch distributes frames across the ports in a Multi Link Trunk (MLT) according to the source and destination Media Access Control (MAC) addresses. If a port within an MLT fails, traffic that would have been carried over the failed port switches to the remaining ports within the MLT. MLTs can be configured as trunk links for VLANs. This configuration is used in the Internet Data Center architecture. After a link has been formed, configuring any port in the link as a trunk applies the configuration to all ports in the channel. Identically configured trunk ports can be configured as an MLT. For more information, refer to the Nortel Networks Passport 8600 documentation.

Inter-VLAN Communication The Passport 8600 switch is the foundation of connectivity for the Internet Data Center architecture. It facilitates all and also enables you to strategically implement inter-VLAN communication by employing Layer-3 routing functionality. You need to ensure that only appropriate VLANs can communicate with each other, for securing the Internet Data Center network. In this model, you can classify VLANs into two groups: •

Internal – VLANs 12, 13, 17,18

•

External – VLANs 16, 200

VLANs within a group must be able to communicate with each other in an operational environment. In addition, external VLANs should NOT be allowed to communicate with internal VLANs or vice versa. To implement this behavior, use port filtering similar to those (ALC’s) used with the router. However, there is one exception to this behavior. During the deployment phase of the Internet Data Center, you need to allow unrestricted inter-

26

Microsoft Systems Architecture Internet Data Center

VLAN communication before connecting to the Internet. You need to do this because the servers need to reach the Domain Controllers while they are being built. In addition to allowing the previously defined groups to communicate with each other, VLAN18 needs to participate in inter-VLAN communication as well. Once this phase is complete, ensure that the appropriate inter-VLAN communication behavior is restored. Deploying Servers During the deployment phase of the Internet Data Center, all servers must be able to communicate with a Domain Controller and have access to a deployment share. To provide this connectivity, you need to allow VLANs 12, 13, 16 and 18 to participate in inter-VLAN communication. You need to load the base configuration of the config.cfg file (provided in Appendix 2.3 on both switches. This includes configuring all VLAN interfaces, a routing statement, and port filters that must be temporarily removed or deactivated. Therefore, you need a “deployment” as well as a “production” boot configuration file. Passport switches allow multiple boot configurations. The following steps show how to change the boot configuration file and switch between deployment and production modes. From the switch configuration prompt, complete the following steps to configure a switch to allow for server deployment. These steps are for Switch A. You need to repeat these steps for Switch B. Note The remainder of this chapter cannot be completed until after the procedures in Chapter 8, “Deploying the Firewalls”, has been completed. Changing the Boot Configuration File

Use the following commands and syntax to change the boot configuration file: MSA_BOT:5# config bootconfig MSA_BOT:5/config/bootconfig# choice primary MSA_BOT:5/config/bootconfig/choice/primart# config /flash/config.cfg MSA_BOT:5/config/bootconfig/choice/primary# save boot

This saves the boot configuration file to the processors’ flash. MSA_BOT:5/config/bootconfig/choice/primary# save boot standby /flash/boot.cfg

This saves the boot configurations file to the standby processors flash.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

27

Booting the Switch into the Changed Boot Configuration

Use the following commands and syntax to switch to the changed boot configuration file: MSA_BOT:5# reset –y This resets the switch and boots off the new boot configuration file.

Securing Inter-VLAN Communication After you have completed the deployment phase, ensure that only the appropriate inter-VLAN communication takes place by restoring the base “production” configuration file, such as the file created using the sample file given in Appendix 2.4 You can restore the base configuration on both switches by changing the boot configuration to boot off the appropriate file.

Routing Configuration Notes You can use the following logical sequence of commands to configure routing and VRRP with any VLANs configured on the Passport 8600 switch. These same commands are used in the sample configuration in Appendix 2.2. Configuring a VLAN for Layer 3 Capability To configure a VLAN for Layer-3 Capability, you use the following command and syntax:

Config vlan vlan-id ip create ip address/subnet mask Configure a VLAN for VRRP Capability To configure a VLAN for VRRP capability, you use the following command and syntax:

Config vlan address Config vlan Config vlan Config vlan

vlan-id ip vrrp vrrp-id address virtual-ipvlan-id ip vrrp vrrp-id priority 1-254 vlan-id ip vrrp vrrp-id enable vlan-id ip vrrp vrrp-id backup-master enable

For more information see the Nortel networks Web site: http://www.nortelnetworks.com General Routing Configuration

Recommended routing performance and security settings are included in the general configuration. The general production configuration of Switch-A and Switch-B is described in Appendix 2.4.

28

Microsoft Systems Architecture Internet Data Center

Configuring Layer 3 Redundancy within the Switch

The switches are connected to each other using a Gigabit Ethernet. As mentioned in the VLAN Redundancy on the Passport 8600 section, this provides a path for VLAN trunking and redundancy. Passport 8600 also uses this connection as a path to communicate using VRRP. VRRP is discussed at length in the section titled, “Virtual Router Redundancy Protocol” earlier in this document, and in greater detail at the Nortel Networks Web site: http://www.nortelnetworks.com The sample configuration provided in Appendix 2.4 includes the VRRP configuration as implemented on Switch A and Switch B in the Internet Data Center.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

29

CONFIGURING THE ALTEON WEB SWITCH MODULE

Nortel Networks Alteon Web Switching Module (WSM) integrates full Layer 4 through 7 web switching, Web OS traffic management and content intelligent capabilities into the Nortel Networks Passport 8600 Routing Switch platform. The WSM is used for server load balancing and server health checks in the Internet Datacenter Architecture. The WSM enables Clients to establish a connection to a real server in the DMZ via a VIP (Virtual IP) address associated with a desired server group. Servers are load balanced based on the services enabled on the VIP. The WSM/Passport 8600 combination allows for extremely large-scale data centers in a single box solution, with abilities to scale virtual IP clusters to 255 per WSM, and 1024 real servers per virtual IP cluster. The WSM monitors server health throughout the data center and across multiple data centers using Global server load balancing. First, ensure that the WSM is in slot one in the Passport 8600. To configure Server Load Balancing you will need to use a console cable or telnet session into the Passport 8600. telnet 192.168.12.252 login as stated in Passport 8600 configuration guide. Once you have a connection to the Passport 8600, you will then need to connect to the WSM. WSM connection syntax:

Wsm connect WSM VLAN configuration syntax:

Cfg/vlan 16 Ena Name “VLAN 16” Def 5 6 Cfg/vlan 18 Ena Name “VLAN 18” Def 1 2 3 4 WSM interface configuration syntax:

Cfg/ip/if 1 Ena Mask 255.255.255.0 Addr 192.168.16.241 Vlan 16 Cfg/ip/if 2 Ena Mask 255.255.255.128 Addr 208.217.185.252 Vlan 18

30

Microsoft Systems Architecture Internet Data Center

WSM building the gateways:

Cfg/ip/gw 1 Ena Addr 208.217.185.129 WSM assigning interface to VLANs configuration syntax:

Cfg/port 1 Pvid 18 Cfg/port 2 Pvid 18 Cfg/port 3 Pvid 18 Cfg/port 4 Pvid 18 WSM VRRP (Virtual Router Redundance Protocol) configuration syntax:

Cfg/vrrp/on Cfg/vrrp/vr 1 Ena Vrid 18 If 2 Prior 101 Addr 208.217.185.254 Share dis Track l4pts e Cfg/vrrp/vr 2 Ena Vrid 116 If 1 Prior 101 Addr 192.168.16.240 Share dis Track l4pts e Cfg/vrrp/vr 3 Ena Vrid 3 If 2 Prior 101 Addr 208.217.185.200 Track l4pts e WSM Server Load Balancing synchronization syntax:

Cfg/slb On Cfg/slb/sync Prios d Cfg/slb/sync/peer 1 Ena Addr 208.217.185.253

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

31

WSM building the real server configuration syntax:

Cfg/slb/real 1 Ena Rip 192.168.16.1 (Repeat steps for all servers) WSM Server Load Balancing group configuration syntax:

Cfg/slb/group 1 Metric roundrobin Content “postinfo.html” WSM adding real servers to your Server group syntax:

Cfg/slb/group 1 Add 1 Add 2 (Repeat steps for all real servers needed in this group) WSM Configure server/client load balancing configuration syntax:

Cfg/slb/port 1 Client ena Cfg/slb/port 4 Server ena Cfg/slb/port 5 Server ena Cfg/slb/port 6 Server ena WSM virtual server configuration syntax:

Cfg/slb/virt 1 Ena Vip 208.217.185.200 WSM virtual server mapping to server group syntax:

Cfg/slb/virt 1/service http Group 1

32

Microsoft Systems Architecture Internet Data Center

ORDERING THE INTERNET DATA CENTER CONFIGURATION

This section consists of ordering data as it relates to the Internet Data Center configuration. The configurations specified here are what was tested in this architecture. It is recommended that you discuss any variations with a Nortel representative or a Nortel Authorized Value Added Reseller (VAR.) Moreover, as new products are introduced, the recommended hardware and software might change.

Edge Router – Juniper The base configuration of the Juniper M5 is shown in Table 2.6. Table 2.6. Base configuration of the Juniper M5

Quantity

Model #

Description

2

M5BASEAC-E

M5 base unit; four PIC slot chassis, one built-in FPC, cooling, midplane, Forwarding Engine Board (with Internet Processor II ASIC, 8-MB SSRAM), 1 AC power supply (AC cables are country specific and sold separately), complete documentation (CD ROM).

2

PE-4FETX

4-port Fast Ethernet, TX, RJ-45 Connector with PIC Ejector

2

PE-1GESX-B

M5 / M10 1-port GigE, SX

2

RE-333256

Routing Engine (333-MHz mobile Pentium II, 256-MB DRAM, 80-MB flash drive, 6.4-GB hard drive, JUNOS software for the USA and Canada)

2

PWRM10-M5AC

M5/M10 AC Power Supply

2

CBLPWR10AC -US

M5/M10 AC Power cable, US (10A 8.2ft/2.5 m)

2

JUNOS

JUNOS Internet software (flash PC card) for USA and Canada (not for export)

For other WAN options, see your Nortel representative. Note The Juniper M-series routers are equipped with enough memory to handle full Internet route tables.

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

33

Nortel Passport 8600 The Nortel Passport 8010 chassis is one of the options in the Nortel Passport 8000 product line. The Nortel Passport 8010 provides excellent densities. Check with a Nortel representative to determine the best option for your particular environment. Table 2.7. Nortel Passport 8600 configuration

Quantity Baseline + Spare) 2

Generic Component Type

Part Number

Description

High Density Chassis

DS1402001 Passport 8010 10-slot chassis; includes

2+1

AC Power Supply

DS1405A01 Passport 8001PS 100-240 VAC Power Supply, at least one power supply required per Passport 8000 chassis (No power cord included)

4+1

CPU/Switching Fabric

DS1404001 Passport 8690SF Routing Switch Module, CPU/Switch Fabric module, one required per Passport 8000 series chassis. Includes PCMCIA memory card.

chassis, dual back plane, two fan trays, RS232 cable for management console, rack mount kit, and cable guide kit, requires one or two power supplies depending on configuration; up to three power supplies supported

Modules

34

10+1

10/100 Base-TX

DS1404002 Passport 8648TX Routing Switch Module, 48-port auto sensing 10BASE-T/100BASETX Ethernet Layer 3 switching interface

2+1

1000Base SX

DS1404003 Passport 8608SX Routing Switch Module, 8port 1000BASE-SX Gigabit Ethernet interface module

2+1

WSM

DS1404045 Alteon WSM, 4p Gig SX / 10/100BaseTX (Layer 4-7 Web Switching Module).

Microsoft Systems Architecture Internet Data Center

SUMMARY

The Internet Data Center provides a model for implementing a comprehensive e-commerce solution. This chapter provides specifications and procedures for building the network infrastructure portion of the architecture. By following the specifications and procedures in this document and applying the site-specific aspects of your environment, you can build an e-commerce network infrastructure that encompasses the design considerations presented in the section titled, “Introduction” earlier in this document. Information on managing the network infrastructure is beyond the scope of this document. Follow-up documentation will provide guidance for implementing a network management solution. More Information

For more information about the Nortel devices discussed in this document, refer to the Nortel Networks Web site at: http://www.nortelnetworks.com

Prescriptive Architecture Guide, Chapter 2, Installing Network Devices

35

APPENDIXES

This section provides details of the appendix files that are provided as part of the MSA Internet Data Center architecture documentation.

Appendix 2.1 – Network Diagram This appendix provides a detailed diagram of the components that makeup the MSA Internet Data Center architecture. The file is Appendix_1.2_Architecture allows this diagram to be viewed using a Web browser.

Appendix 2.2 – Perimeter Router Configuration This appendix provides example configuration scripts for the primary and secondary Juniper M5 routers that were used as the perimeter routers in the Microsoft Internet Data Center architecture. This file contains the configuration scripts for both the primary and secondary routers. These scripts will need to be saved separately and run against the relevant router. The file is N-M5 Perimeter Router Configuration.txt.

Appendix 2.3 – Deployment Switch Configurations This appendix file provides example configuration scripts for the Nortel 8600 switches. These switch configurations are used during the deployment phase of the Internet Data architecture. This file contains the configurations for both the primary and secondary switches. These scripts will need to be saved separately and run against the relevant switch. The file for Appendix 2.3 is N-8600–Deployment Switch Configuration.txt.

Appendix 2.4 – Production Switch Configurations This appendix file provides example configuration scripts for the Nortel 8600 switches. These switch configurations are used to secure the switches ready for the Internet Data architecture to enter production. This file contains the configurations for both the primary and secondary switches. These scripts will need to be saved separately and run against the relevant switch. The file for Appendix 2.4 is N-8600–Production Switch Configuration.txt.

Appendix 2.5 – WSM Configuration This appendix provides example configuration scripts for the Web Switch Module. These configurations are used to provide server load balancing and health checking of the web tier. This file contains the configuration for both the primary and secondary WSMs. These scripts will need to be saved separately and run against the relevant switches. The file for Appendix 2.5 is N-WSM-Production Configuration.txt.

36

Microsoft Systems Architecture Internet Data Center