Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zhihui Sun , Fazhi Qi, Tao Cui

Published byAgathe Marion Modified over 5 years ago

Similar presentations

Presentation on theme: "Zhihui Sun , Fazhi Qi, Tao Cui"— Presentation transcript:

1 Zhihui Sun , Fazhi Qi, Tao Cui sunzh@ihep.ac.cn 4-4-2019
Applications of SDN in IHEP network environment Zhihui Sun , Fazhi Qi, Tao Cui International Symposium on Grids & Clouds 2019 2019/6/24

2 Agenda IHEP campus network
network access control management in IHEP network security in IHEP Summary 2019/6/24

3 IHEP campus network Network topology
The wired network and wireless network are independent of each other, and they are connected by the interconnected switch, and it provides a clear physical and functional independence, so we can easily manage and monitor the network status and traffic Both the wired network and wireless network are IPv4/IPv6 supported Completed the configuration of LHCONE 2019/6/24

4 IHEP campus network- Wireless Network Access Control management
We have designed a solution based on network access control system ( system) , AC(Access Controller), DHCP, FreeRADIUS for our wireless network Works well, and users can easily access to our wireless network Implemented the unified access control management of wireless network across campuses by data sharing(Beijing campus, Dongguan campus) Developed a conference QR code function which users can scan to access to IHEP wireless network Beijing campus CSNS BEPCII Conference network access code Dongguan campus BESIII Wireless Network Access Control 2019/6/24 JUNO Cross-regional Wireless Network Access Control Management

5 IHEP campus network- Wired Network Access Control management
Current architecture We are still using a static control strategy based on device MAC, device IP and corresponding switch IP, corresponding switch port, corresponding Vlan Id to manage our wired network access These strategies must be written into the access switch before users can use IHEP wired network Inconveniences Current strategy needs network admin to assign the IP address manually Needs users to configure the IP address in their network devices Inconvenient for users to access to our wired network Wired Network Access Control 2019/6/24 BESIII JUNO HEPS

6 IHEP campus network- Wired Network Access Control management
Wanted architecture Want an automatic IP address allocation for wired network, so users can no longer pay attention to IP address Want to keep the control strategy of 5 key attributes including device MAC address, device IP address and corresponding switch IP, corresponding switch port, corresponding Vlan Id, so it can avoid confusing access to our wired network Need the whitelist users who can access to wired network using any port, and this function is just for network admin to use The final purpose is that we want to provide a user self-service and convenient wired network access service Need to design a new network access control architecture for wired network 2019/6/24 JUNO HEPS

7 SDN @ network access control management in IHEP
2019/6/24

8 SDN @ network access control management in IHEP
New solution based on SDN architecture Use standard SDN architecture, which contains application Plane、Control Plane、Data Plane Northbound interface:REST API Southbound interface:OpenFlow / NETCONF 2019/6/24

9 SDN @ network access control management in IHEP
New solution based on SDN architecture DHCP, Provides a dynamic address allocation for IPv4 or IPv6 SDN Controller (Agile controller, provided by HUAWEI) keeps our control strategy, 5 key attributes for access devices Device MAC, Device IP, Switch IP, Switch port, Vlan id Uses radius to provide an access authentication for devices provides more automatic network management User access control system (Self-developed system), provides the users and devices information management 2019/6/24

10 SDN @ network access control management in IHEP
Device IP Device MAC Switch IP Switch port Vlan ID Network access process 1-2. When your device accesses to IHEP wired network, the DHCP server will assign IPv4 and IPv6 address to your device 3. And your network access request will be sent to SDN controller to verify, if matched, it will pass the authentication. 4. But if not matched, your request will be redirected to our user access control system, and ask you to register 5. Then you input your personal information 6-7. user access control system will get your device mac, corresponding switch ip, corresponding switch port and corresponding vlan Id from DHCP server 8. When you complete your registration, your IP, MAC, switch IP, switch port, and Vlan Id will be written to the controller, then your device will pass the network authentication Access control process We implement a wired network access control management based on DHCP server、User Access Control System and SDN Controller 2019/6/24

11 SDN @ network access control management in IHEP
Test-bed and result We built a Test-bed last month SDN controller (HUAWEI Agile controller), DHCP(Infoblox) The access control test results are in line with our expectations The whitelist test results also satisfy our requirements REST API Device mac Switch ip Device ip Switch port Vlan Id 2019/6/24

12 SDN @ network access control management in IHEP
Test-bed and result Northbound interface test Add an account to the SDN controller Added successfully 2019/6/24

13 SDN @ network access control management in IHEP
Test-bed and result Northbound interface test Delete the account Deleted successfully 2019/6/24

14 SDN @ network access control management in IHEP
Test-bed and result Northbound interface test Modify the binding port of an account modified successfully 2019/6/24

15 SDN @ network access control management in IHEP
Future plan We will develop and upgrade our user access control system using the northbound interface We will also complete wired network access control management based on SDN architecture in the next 3 months We also plan to replace the old network equipment step by step 2019/6/24

16 SDN @ network security in IHEP
2019/6/24

17 SDN @ network security in IHEP
Network security challenges in Computing/Data Center Network security devices may become the bottleneck of network data exchange Many network security devices need to be deployed at the network exit, such as IDP(Intrusion Detection& Prevention System), WAF(Web Application Firewall), VPN(Virtual Private Network)…and it makes very complex policies about network security Service chain adjustment is also complex, and most of the time we need to adjust the network topology and reconfigure the network 2019/6/24

18 SDN @ network security in IHEP
Thoughts We want a simple security policy adjustment for network security devices, and we don’t want to adjust the network topology often We also want to reduce serial connection of network security devices, and most of them should be connected to the network by bypass We also want to reduce network traffic pressure on network security devices Plan Minimize the impact on the existing network Our plan is divided into two steps 2019/6/24

19 SDN @ network security in IHEP
Step 1 We use SDN switch as a traffic aggregation node, and verify our thoughts about network security based on SDN architecture We set the filtering rules in the controller to make network traffic into the network security node which we defined before We also set the service chain rules in the controller to make network traffic into different network security nodes in order We built a test-bed, and use DELL devices to test. Stage 1 2019/6/24

20 SDN @ network security in IHEP
Test-bed and result Create a rule 2 SDN switch 2019/6/24

21 SDN @ network security in IHEP
Test-bed and result We create a rule to filter UDP traffic, and define the input port and output port The test results are in line with our expectations UDP Input port Output port 2019/6/24

22 SDN @ network security in IHEP
Step 2 We want SDN switch as a gateway, and firewalls are the bypass connection to SDN switch Current status, we have designed the architecture Plan We plan to deploy the second step test-bed in the nearly two months Evaluate the function and performance of the bypass firewall solution Stage 2 2019/6/24

23 Summary Our wired network and wireless network are independent of each other, and they are connected by the interconnected switch We implemented the unified management of wireless network across campuses, and it works well We have designed the solution of the wired network access control management based on SDN architecture, and test-bed results show very successful The architecture of network security in IHEP have been designed, and test-bed results are in line with our expectations 2019/6/24

24 Thanks for your attention !
2019/6/24

Download ppt "Zhihui Sun , Fazhi Qi, Tao Cui"

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Campus Networking Best Practices Session 2: Layer 3 Dale Smith University of Oregon & NSRC

Campus Networking Best Practices Session 2: Layer 3 Dale Smith University of Oregon & NSRC
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 LAN Switching and Wireless Implement Inter-VLAN Routing Chapter 6 Modified.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 LAN Switching and Wireless Implement Inter-VLAN Routing Chapter 6 Modified.
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.

The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
1 October 20-24, 2014 Georgian Technical University PhD Zaza Tsiramua Head of computer network management center of GTU South-Caucasus Grid.

1 October 20-24, 2014 Georgian Technical University PhD Zaza Tsiramua Head of computer network management center of GTU South-Caucasus Grid.
Semester 3, v Chapter 3: Virtual LANs

Semester 3, v Chapter 3: Virtual LANs
Common Devices Used In Computer Networks

Common Devices Used In Computer Networks
Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.

Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.
Virtual Private Ad Hoc Networking Jeroen Hoebeke, Gerry Holderbeke, Ingrid Moerman, Bard Dhoedt and Piet Demeester 2006 July 15, 2009.

Virtual Private Ad Hoc Networking Jeroen Hoebeke, Gerry Holderbeke, Ingrid Moerman, Bard Dhoedt and Piet Demeester 2006 July 15, 2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Similar presentations

Ads by Google