SoftLayer Network Guide Overview 20150501

IBM GTS Architecture and Solution Design
SoftLayer – Networking Guide

Overview
Note: full version of this Networking Guide can be found from iRAM
Jeri Korkki
IBM Distinguished Engineer
Version: 20150501
IBM Internal Use Only – Contains GTS Intellectual Capital © 2015 IBM Corporation
This Work Product is intended for IBM Global Technology Services employees
developing network solutions that include SoftLayer an IBM company
This Work Product contains short overview of SoftLayer and its compute
capabilities, servers, storage, Operating Systems, virtualization, services,
networking and service management; basics that you need to know to be
able to design network solutions. The work product introduces SoftLayer
network components and the basics of SoftLayer internal and external
connectivity.
This work product explains the high-level network architecture of
SoftLayer’s data centers and private network, and shows the different how
IBM Strategic Outsourcing Extended Premises and Customer Premises can
be connected to customer's SoftLayer environments.
Note:
This work product contains IBM Global Technology Services developed intellectual
capital
 The IBM intellectual capital, the know-how, techniques, methods and
information learned through services engagements is of great value to IBM and
is an asset that needs to be protected in the same way as any physical asset.
 The IBM Global Technology Services professionals can use content from this
work product for services proposals and paid services engagements. Do not
distribute this document and its content externally or give a copy to an IBM
Business Partner.
Send any feedback, corrections, comments and suggestions for change to:
Jeri Korkki/Finland/IBM@IBMFI
2 IBM Internal Use Only – Contains GTS Developed Intellectual Capital © 2015 IBM Corporation
Table of contents
• SoftLayer – Introduction
• SoftLayer Network Overview
• Rack Architecture
• SoftLayer Computing - Basics
• SoftLayer Networking - Basics
• Interconnecting SoftLayer with IBM SO Customer
SoftLayer - a Global Hosting Leader
Customers 21,000 in 140 countries

Servers 180,000+
Data centers 17
Network PoPs 7
Standardized Point of Delivery (PoD) Design

Each data center facility features one or more PoDs, each built to the same
specifications with best-in-class methodologies to support up to 5,000 servers.
All SoftLayer data centers maintain multiple power feeds, fiber links, dedicated
generators, and battery backup.
SoftLayer Data Centers and Private Network Footprint Apr 2015
Servers - Overview
Bare metal servers
Physical Server Physical Server Physical Server
• Single-tenant physical server Single-tenant Multi-tenant Single-tenant
• Dedicated to a single customer Optional (unmanaged) Managed Managed
Hypervisor Hypervisor Hypervisor
Dedicated rack
• Customer has an option to buy a dedicated rack Bare Metal Server Virtual Server Virtual Server
Public Node Private Node
• All servers and switches in one physical rack
SoftLayer
Private, self managed virtualization environment Managed
• Customer buys a required number of bare metal servers
• To build a private, self managed virtualization
Configurations and Options
environment, contract unmanaged hypervisor (VMware, • Models with Hourly billing
Bare Metal Servers Bare Metal Server
Citrix Xen, Microsoft Hyper-V, Virtuozzo) from SoftLayer • Latest Multi-core CPUs
as a Mass Storage
• GPUs (for HPC and VDI)
with monthly billing • Mass storage servers Any Hypervisor
• Add bare metal servers as mass storage as needed • Redundant power supplies Management VM or
• Etc. Virtual Machines Bare Metal Server
Virtual Server Instances on a Public node Private Cloud
• The resources of a physical server are shared with
multiple customers (multitenant environment)
Virtual Server Instances on a Private node
• The resources of a physical server are dedicated
• Customer can consume all resources of the server
• One customer can have one or more virtual machines in
the same server, not sharing with other customers
OpenPOWER-based “bare metal” servers
- based on IBM POWER8
- for Linux
Optional:
Storage - Overview Networked Storage
- Legacy iSCSI Shared SAN
- iSCSI Consistent Performance Storage
Local Storage on bare metal servers: - Dedicated SAN
• SSD, SATA, SA-SCSI - with RAID capability - QuantaStor Storage Appliance
- Shared Legacy NAS
Remote Block Storage Options - Consistent Perfomance File Storage
• Legacy iSCSI Shared SAN [managed by SL] - Object Storage
• iSCSI Consistent Performance Storage [managed by SL]
• Dedicated SAN [managed by SL]
• QuantaStor Storage OS over a bare metal server [managed by Customer]
Shared Legacy NAS [managed by SL]
• Accessed via CIFS, cost effective, Reliable, 2 TB or less
SoftLayer Private
• Many to one – many servers can use one NAS account
Network
• Intended for “off-server” backup Archives Layer 3 IP Network
Consistent Performance File Storage [managed by SL]

• Accessed via NFS Ethernet
• Size: 20GB – 12TB
• IOPS: 100 – 6000
Optional:
• Redundant MPIO (multipath) Local Storage
- SSD
Object Storage [Managed by SL] - SATA
• Based on OpenStack Swift + indexing & CDN integration - SA-SCSI
- RAID capability
Note:
• Network Storage connects over server’s Ethernet interface Supermicro 1, 2 and 4U
• No Fiber Channel, No FCoE (Fiber Channel over Ethernet) x86 rack mounted servers
Wide range of options for building Cloud environments
Web iPhone and iPad Android Windows Mobile Agent

Management portals
DEVELOPMENT ADMINISTRATOR
API1 Message queue Monitoring Flex images RescueLayer
Managed hosting
Platform management
Firewalls IDS and IPS2 Anti-virus/ malware SSL3 cert. management
Load balancers Global DNS4 Domain services CDN5
Network and security
Bare metal servers Virtual server instances
SAN6 NAS7 Object storage Backup Private clouds Big data
Compute and storage Solution sets
1Application programming Interface (API): 2Intrusion detection system and intrusion protection system; 3Secure socket layer (SSL); 4Domain name server (DNS);
5Content delivery network (CDN); 6Storage area network (SAN); 7Network-attached storage (NAS)
SoftLayer Network Overview
Three Tier Network Design

Public, Private and Management traffic travel across separate server network interfaces, segregating and
securing traffic while streamlining management.
• SoftLayer global network has more than 2,000 Gbps of connectivity between data centers and network points of presence
• Each data center has multiple 10 Gbps transit connections as well as peering links to additional service providers and
access networks.
Public Network
Every SoftLayer data center and network PoP has multiple 10 Gbps multi-homed connections with bandwidth
from independent top-tier transit and peering network service providers.
Network traffic from anywhere will connect to the closest network PoP and travel directly across SoftLayer’s
network to its data center, minimizing the number of network hops and handoffs between providers.
• Unmetered inbound Internet bandwidth
• Metered and unmetered outbound bandwidth
• Multiple internet backbone connections
Transit Network: TeliaSonera
• Peering and Transit connections
• Automated IP routing and management Transit Network: NTT
• Individual secure private VLAN per customer

• On-the-fly addition of servers to existing VLAN
• Servers available with port speeds up to 10 Gbps The Internet
• Geographically redundant DNS

• Cisco and Juniper 10GE network Peering Peering Peering Peering Peering
Exchange Exchange Exchange Exchange Exchange
• Native IPv6 ready Equinix AMS-IX NLIX Equinix Starhub
• Cisco Guard / Arbor TMS DDoS protection

SoftLayer SoftLayer SoftLayer
• Arbor Peakflow traffic analysis Datacenter Datacenter Datacenter
Dallas Amsterdam Singapore
SoftLayer Private Backbone
Internet Peering Exchanges
https://www.euro-ix.net/tools/peering_matrix
Transit Networks
Public IP Addresses
SoftLayer Bare Metal servers and Virtual Server Instances (VSI) come IPv4 Addresses Monthly
Primary Address Included
with one Primary Public IPv4 Internet Static Public Address $1.00
Portable Public Address $2.00
• Primary IP addresses are bound to each individual server
Global Address $20.00
Additional, Secondary Public IPv4 Internet addresses can be purchased in
quantities of 1, 2, 4, 8, 16, or 32
IPv6 addresses Monthly
• With limitations and requiring ARIN (American Registry for Internet Numbers) justification
Primary Address Included
• When you order an additional IP address, SoftLayer typically assigns addresses /64 Block Static Public Addresses $4.00
from an existing subnet – if exchausted a new subnet is created /64 Block Portable Public $10.00
Addresses
• Types of Secondary Public IP addresses: /64 Block Global Addresses $20.00
• Static Public IP Addresses – a block of IPs that are routed directly to a specific
server on the SoftLayer network
• Portable Public IP Addresses – can be used on multiple servers within a single
Public VLAN at the same time – typicall assigned to virtual machines
• Global IP address – is a static IP address that can be transferred between
servers associated with the account that owns the subnet. It can help shift
workloads across data centers too. This is most similar to Amazon Elastic IPs Microsoft Excel
without the limitation of being restricted to a region 97-2003 Worksheet
• SoftLayer’s Public Network is IPv6 ready

• Global IPv6 IP addresses are available as /64 blocks with a limit of 5 per
customer
Private Network
All SoftLayer data centers and PoPs are connected by SoftLayer’s private network backbone. The private
network enables customers to seamlessly connect their services in SoftLayer data centers around the world.
• High-speed redundant private network VRFs that SoftLayer maintains – contains all routes for SoftLayer’s internal use,
cross-connects with Telco partners and for the customers backend connectivity
• Network Points of Presence (NPoP) are maintained by SoftLayer – SoftLayer data centers are connected to NPoPs in
Equinix/Telx/InterXion, etc. facilities with high-capacity redundant fiber connections
• Move data between servers at no cost, and take advantage of our update and patch servers, software repositories,
backend services, and more without interfering with public network traffic.
• Multiple 10 Gbps fiber backbone with automatic fail-over
• Unmetered bandwidth on Private Network
• Secure, customer-configurable private VLANs
• Private VLANs may be spanned between data centers
• Servers available with port speeds up to 10Gbps
• Free server-to-server cross connects
• Private Local DNS Resolvers
• Centralized NAS and Block storage resources
• Private OS update, reload and change servers
• SoftLayer software repository
• McAfee security update server
Private Network…
Network Facility Name City

Telx Atlanta Atlanta
Equinix Chicago (CH1/CH2) Chicago
CoreSite - DE1 Denver
Equinix Dallas (DA1) Dallas
CoreSite - LA1 - One Wilshire Los Angeles
Terremark Miami Miami
Telx New York (111 8th) New York
Equinix San Jose (SV1/5) San Jose
Westin Building Seattle
Cologix (TOR2) Toronto
Equinix Ashburn (DC1-DC11) Ashburn
Pacnet Hong Kong
NextDC Melbourne
Equinix Singapore
Equinix Sydney
Equinix Tokyo (TY2) Tokyo
Equinix Amsterdam (AM1) Amsterdam
InterXion Frankfurt 6 Frankfurt
TelecityGroup (Harbour) London
Equinix Paris
Network Overview
Rack Topology
Network Interfaces - Bare Metal server SoftLayer Private Network
Backend Service Network

Optional: Optional:
SoftLayer servers have Network Interface Cards (NIC) connected to: Network Storage Services
• iSCSI Shared SAN • DNS Resolver
• Shared NAS / FTP • Evault
• Dedicated SAN • LockBox
• Object Storage • Provisioning
Dual NICs are available to • OS Updates
provide redundancy and to • Software Repository
eliminate single points of failure • IPMI over Ethernet
• Monitoring
• Security, etc.
Private Network (Blue cables) MBR

BCR
• Intra-application, server-to-server and inter-facility communications
Private VLAN
• Access to Network Storage and Backend Services Primary Subnet (10.x.x.0/26)
• Customer private network connectivity (if used)
• see later pages about customer private network connectivity eth2
Access to resources
On Customer’s eth0
Public Network (Red cables) Private VLAN
• For Internet traffic and customer configured and supported VPNs

• High-performance redundant connections - transit from multiple tier-1 carriers IPMI Network NIC
• public network can be disabled if Internet connection is not desired
eth3
• Optional: Firewall, Load Balancer and Application Accelerator SoftLayer IMS
Infrastructure eth1
management system
Management Network (Green cable)
Public VLAN
• Infrastructure Management System (IMS) Customer Primary Subnet
Portal
Optional:
Secure out-of-band management via VPN over the Internet • Firewall
• Load Balancer
• using: SSL, PPTP, or IPSEC VPN Shared SoftLayer
• Application Accelerator
• Admin access through the SoftLayer Portal / API SoftLayer VPN Public Network
Concentrators 1G
• Administrative access only
• not for application/end user traffic
Customer’s
SSL
SoftLayer The Internet
Administrator
Backend Services SoftLayer Private Network

Optional: Optional:
Backend Services Network is used for optional network storage and Network Storage Services
services: • Shared NAS / FTP • Evault
• DNS Resolver - for name server lookups • Object Storage • Provisioning
• OS Updates
• Evault - Backup • Software Repository
• LockBox - for secure storage of critical files/configurations • IPMI over Ethernet
• Monitoring
• Provisioning: Operating Systems, Hypervisors, etc. • Security, etc.
• OS Updates
• Windows update servers 10.x.x.0/20 10.x.x.0/20
Microsoft Excel
• Red Hat proxy and satellite update servers 97-2003 Worksheet
• SoftLayer Software Repository MBR
• IPMI (Intelligent Platform Management Interface)
• Monitoring service BCR
• Messaging service Private VLAN

Primary Subnet (10.x.x.0/26)
• Security services
• Vulnerability scans (McAfee) Primary Private address Primary Private address
• Anti-virus software (McAfee)
vNIC SoftLayer
• Graphing Managed
VSI
• Managed Object Store
vNIC
• Content Delivery Network (CDN)
• Digital Transcoding service Primary Public address Primary Public address
• Physical media shipping service

Primary Subnet
• e-mail delivery service
Public VLAN
SoftLayer
Public Network
The Backend Services network is not be accessible from hosts outside of SoftLayer Frontend Customer
data centers Routers (FCR)
The Internet
Customer Portal SoftLayer Private Network

Optional: Optional:
Administrator access and control to services and automation. Network Storage Services
System Management Account Management • Shared NAS / FTP • Evault
• FTP Management • User Administration • Object Storage • Provisioning
• IPMI Management & Stats • External Authentication • OS Updates
• Hardware Configuration • Software Repository
• Accounting Information • IPMI over Ethernet
• Reboot & Reload • Real-time Notification History • Monitoring
• Monitoring Configuration • Secure Private VLAN • Security, etc.
• CloudLayer Management
• Anti-virus / Spyware Ordering & Deployment MBR
• Dedicated Servers BCR
• Vulnerability Scans & IDS Private VLAN
• Image Management • Public Cloud Instances
• Spare Pool • Private Clouds
• Software Updates • Object Storage Access to resources on
Customer’s Private VLAN
• Storage & Backup • Content Delivery Network
• Content Delivery Network • Storage & Backup vNIC SoftLayer
SoftLayer IMS Managed
• DNS Management • Firewalls & Load Balancers Infrastructure VSI
management system
• IP Management • Upgrades vNIC
• Network Console & Tools • Other Services & Software

• Bandwidth Graphs Support Customer
• Port Control • Open & Monitor Tickets Portal Primary Subnet
• Firewall Management • Tutorials Public VLAN
Shared
• Load Balancing • KnowledgeLayer SoftLayer VPN Optional:
• SSL Certificates Concentrators • Firewall
• VPN Access • Load Balancer
• SWIP & Rwhois SoftLayer
Public Network
Login using your SoftLayer account credentials 1G
Frontend Customer
Administrator
• Supports two factor authentication Routers (FCR)
• PhoneFactor and Symantec Validation and ID Protection SSL
http://knowledgelayer.softlayer.com/procedure/what-two-factor-authentication The Internet
Automation and Control SoftLayer Private Network

Optional: Optional:
Servers, power strips, firewalls, load balancers, update servers, and even Network Storage Services
the accounting system is integrated into SoftLayer’s IMS (infrastructure management • Shared NAS / FTP • Evault
system) • Dedicated SAN • LockBox
• Customer Portal for remote management of SoftLayer services and account • OS Updates
• Software Repository
• total control over your SoftLayer environment • IPMI over Ethernet
• Monitoring
• SoftLayer API provides system-to-system access with more than 2,200 • Security, etc.
documented methods across 200 discrete services
MBR
• supports SOAP & XML-RPC interfaces
BCR
• enables full auto-scaling implementations
Private VLAN
• Image Tools to scale, migrate and automate Primary Subnet (10.x.x.0/26)
• Image Import and Export Access to resources on
• Flex Images Customer’s Private VLAN
vNIC SoftLayer
• Mobile Apps to keep administrators connected SoftLayer IMS Managed
• tickets Infrastructure VSI
management system
• servers vNIC
• Bandwidth
http://knowledgelayer.softlayer.com/articles/control Customer
Portal Primary Subnet
Public VLAN
Shared Optional:
SoftLayer VPN • Firewall
Concentrators • Load Balancer
Your Management
and Automation SoftLayer
Application Public Network
Frontend Customer
1G Routers (FCR)
Your SoftLayer IPsec
Administrator The Internet
SSL
Virtual Local Area Networks 1 of 2

Virtual Local Area Networks are used to separate SoftLayer customers from each other
• With the first Bare Metal server or VSI purchase the customer is provisioned with one Public and one Private VLAN
• VLANs are implemented as 802.1Q VLANs within the SoftLayer Frontend and Backend Switches and Routers
• Future server purchases will be placed on same VLAN – unless another VLAN is specified or the VLAN becomes full
• Customers can purchase additional VLANs to build more complex network architectures
Customer 1 with three bare metal servers and

self managed virtualization environment
Customer 2 with one bare metal server and

three Virtual Server Instances
Customer N with four Virtual Server Instances
Virtual Local Area Networks 2 of 2 Private Network

Optional: Optional:
Standard is one Public and Private Primary VLAN per SoftLayer data center Network Storage Services
• Included into the base SoftLayer account price • Shared NAS / FTP • Evault
• VLAN numbers are automatically assigned by SoftLayer • Object Storage • Provisioning
• customer can change the VLAN name for easier identification • OS Updates
• IPMI over Ethernet
• First Bare Metal or Virtual Server Instance (VSI) purchase generates a Private • Monitoring
VLAN with a block of 64 IP addresses (Primary Subnet 10.x.x.0/26) • Security, etc.
• if the Primary Subnet becomes full, SoftLayer assigns an Additional Primary

Subnet to the VLAN – these subnets may not be contiguous BCR MBR
• One Private Primary 10.x.x.x IP address is assigned for every Bare Metal server Private VLAN
and VSI on the Private Primary VLAN
• needed for server management and access to backend services and storage Primary Private address Primary Private address
• each server will only be allocated one Primary IP - all other IP addresses vNIC SoftLayer
associated with that server must be from a secondary subnet, which may be VSI Managed
purchased at any time through the Customer Portal vNIC
• default gateway is set to Backend Customer Router (BCR) Primary Public address Primary Public address
• Future servers purchased by the customer will be placed to the same VLAN
• unless another VLAN is specified when ordering the new device Primary Subnet (Public IPs x.x.x.x/29)
Public VLAN
• Prior to first server order being placed, the customer can request for a larger
Optional:
contiguous (larger than 10.x.x.0/26) Private IP address block • Firewall
• Load Balancer
• Bare Metal and VSI servers also attach to the Public VLAN • Application Accelerator
SoftLayer
• Public subnet’s default gateway is set to Frontend Customer Router (FCR) Public Network
Frontend Customer
• Note: Public Internet connection can be disabled if not needed Routers (FCR)
• Customer can request more than one VLAN – see next page
The Internet
Primary IP Addresses SoftLayer Private Network

Optional: Optional:
Each Bare Metal server and Virtual Server Instance (VSI) comes with one: Network Storage Services
• Primary Private address • Shared NAS / FTP • Evault
• 10.x.x.x IPv4 private address allocated from the Primary Subnet • Object Storage • Provisioning
• Note: SoftLayer Private Network does not support IPv6 • OS Updates
• Primary Public address • IPMI over Ethernet
• Monitoring
• Internet IPv4 address assigned by SoftLayer to the public Internet • Security, etc.
facing physical network interface
• Additional Public IPv4 Internet addresses can be purchased in
BCR MBR
quantities of 1, 2, 4, 8, 16, or 32 (with limitations – and requiring ARIN Private VLAN
justification) – see next page Primary Subnet (10.x.x.0/26)
• Servers can optionally be ordered with Primary Public IPv6 address Primary Private address Primary Private address
• Additional IPv6 Internet addresses are available in /64 blocks
• Global IPv6 IP addresses are available as /64 blocks with a limit of 5 vNIC SoftLayer
Managed
per customer VSI
vNIC
Notes:
Primary Public address Primary Public address
• Primary Private and Primary Public IP addresses are bound to each
individual server and can not be moved unless the server is cancelled Primary Subnet (Public IPs)
Public VLAN
• Each server may only be allocated one Primary IP address – all other IP
addresses associated with the server (i.e. alias IP addresses or Virtual Optional:
• Firewall
Machines on bare metal servers), must be from a Secondary address • Load Balancer
block that may be purchased at any time through the Customer Portal. SoftLayer
Public Network
• Customer can order bare metal server without public interface or the
Frontend Customer
public Internet connection can be disabled if not required Routers (FCR)
The Internet
IP Addresses – Public Network Private Network
Backend Services Network

Optional: Optional:
In addition to the Primary Public addresses that come with the server, Network Storage Services
customers can purchase additional Secondary Public Internet addresses: • iSCSI Shared SAN • DNS Resolver
• Static Public IP Addresses – is a block of Public IP addresses that are • Object Storage • ......
routed directly to specific servers on the frontend network to be used as
server’s Secondary IP address MBR
BCR
• If the customer orders a server with additional IPs, these will be provisioned as Private VLAN
Static addresses and routed to the same VLAN as the Primary IP address Primary Subnet (10.x.x.0/26)
• Every IP address in the Static address block is usable on the server
• Static Public IP addresses are visible on Customer Portal
Private
Private
IP
IP
• Portable Public IP Addresses – is a block of Public IP addresses that
Server Server
can be used on multiple servers within a single Public VLAN
Portable
Portable
Public
Public
• Portable IP addresses are switchable within a VLAN from server to server –
Static
IP
IP
IP
IP
IP
Typically assigned to virtual machines
• Customer is responsible for managing tracking the address assignment
Portable
• Global IP – is a static Public IP address that can be transferred between IP
servers associated with the SoftLayer account that owns the subnet Other
Global SoftLayer
• Global IP is not restricted to a VLAN and can help shift workloads across data IP Data
Center
centers
• This is most similar to Amazon Elastic IPs without the limitation of being Static Portable Subnet
restricted to a region
Primary Subnet
Public VLAN
IPv4 Addresses Monthly
Primary Address Included Public Network
Portable Private Address Free Frontend Customer
Routers (FCR)
Static Public Address $1.00
Portable Public Address $2.00
The Internet
Global Address $20.00
IP Addresses – Private Network Private Network

Optional: Optional:
Each Bare Metal and Virtual Server Instance (VSI) is supplied with one Network Storage Services
10.x.x.x IPv4 Primary Private address allocated from the Primary Subnet • iSCSI Shared SAN • DNS Resolver
In addition to the Primary Private addresses, customers can request • Object Storage • ......
additional Portable Private subnet(s) to be used as server’s Secondary IP
address:
BCR MBR
• Virtual Machines require use of portable IP addresses Private VLAN
• Blocks of Portable Private addresses can be ordered through the Portable Subnet
Customer Portal
Portable
IP
• Portable Private IP Addresses – is a block of Private 10.x.x.x IP
addresses that can be used on multiple servers within a single Public
Portable
Portable
Portable
Portable
Private
Private
VLAN
IP
IP
IP
IP
IP
IP
• Portable IP addresses are switchable within a VLAN from server to server –
Typically assigned to virtual machines
VM VM VM VM
• For each portable subnet requested, three IPs are devoted to Network,
Hypervisor
Broadcast and Gateway traffic – This means if a block of eight (/29) IPs is
Server Server
issued, three (3) are reserved for the aforementioned traffic and five (5) IP
Public
Public
IP
IP
addresses are available for use on VMs
Primary Subnet
Public VLAN
Public Network
Frontend Customer
Routers (FCR)
The Internet
More than one VLAN SoftLayer Private Network

Optional: Optional:
Customers can request additional VLANs (at $25 per month) Network Storage Services
Additional VLANs can be used to create more complex network solutions • Shared NAS / FTP • Evault
• Additional VLAN(s) must be in the same data center • Object Storage • ......
• Existing devices can be moved from one VLAN to another through manual request
• Some moves may require physical relocation and interruption of service BCR MBR
Private VLAN
• Customers can add servers to existing VLANs on-the-fly Primary Subnet
Request a new VLAN through Customer portal (https://control.softlayer.com) by Private VLAN
creating a Standard Support ticket: Primary Subnet
• Subject = Private Network Question Portable Subnet
• Title = Request new VLANs on [list datacenter and POD information]
Primary Secondary Primary
• Ticket Contents = Please add [# of] VLANs for [list DC and POD details, e.g. fcr02a.ams01] address addresses address
• You can order additional private and/or public postable subnets with the same time SoftLayer
vNIC vNIC vNIC
request. Provide subnet size, and explain the IP address usage, and when you will need Managed
VM VM VSI
these
vNIC
• SoftLayer provisions servers with a single Primary IP Address that is associated to Primary Primary
the device - each server may only be allocated one Primary IP address address
• Secondary IP addresses (Alias address or Virtual Machine address) associated Primary Subnet (Public IPs)
with a server must be from a secondary subnet, which may be purchased at any Public VLAN
time through the Customer portal. Optional:
• Only devices assigned to same VLAN can talk to each other - Network Gateway • Firewall
• Load Balancer
[Vyatta] can be used to route between VLANs - see later pages • Application Accelerator
SoftLayer
• The Backend and Frontend Customer Routers will drop all packets of which Public Network
address they don’t know Frontend Customer

Routers (FCR)
The Internet
Connecting to more than one VLAN SoftLayer Private Network

Optional: Optional:
Each SoftLayer customer is provisioned with single Public and Private VLAN Network Storage Services
• Customers can request additional VLANs (at $25 per month) to build more complex • Shared NAS / FTP • Evault
network environments • Object Storage • ......
• Bare metal servers Private and Public network interfaces can be assigned to
multiple VLANs by using VLAN tagging on the server’s Network Interface Cards BCR MBR
Private VLAN
• VLANs must exist and be located on the same SoftLayer datacenter POD
Primary Subnet
• Request VLAN tagging to servers through Customer portal Private VLAN
(https://control.softlayer.com) by creating a Standard Support ticket: Primary Subnet
• Subject = Private Network Question Portable Subnet

• Title = Trunk VLANs on eth0 & eth2
• Ticket Contents = Please trunk VLANs [list each VLAN] on eth0 and eth2 NIC pair for each eth2 - Optional
host: [list each host].
eth0
eth3 - Optional
NOTE:
eth1
• SoftLayer servers don’t have multiple NICs – such as typically found in a traditional
SO environment where one NIC is for Production, one for SAN, one for Admin, Public VLAN
Backups, Management, vMotion, etc. Primary Subnet
Optional:
• Everything runs through one (or pair of) NICs on the same SoftLayer Private • Firewall
• Load Balancer
Network • Application Accelerator
SoftLayer
Public Network
Frontend Customer
Routers (FCR)
The Internet
Internet Firewalls 1 of 6
Host-based firewall on SoftLayer server (aka Software firewall)
• Helps customer to secure a server through blocking specific traffic
distinguished by the source IP or target IP address and port number
• Software Firewall can protect both private and public interfaces
• Install and provision through Customer Portal:
SoftLayer Private Network
Private VLAN
• Host-based firewall is self managed through SoftLayer VPN Gateway Primary Subnet
• Windows Firewall
• Installed by Default Application
• Configured with the following ports
• RDP 3389; FTP 20,21; HTTP 80; HTTPS443 Software
Firewall
• DNS 53; SMTP 25; POP 110; IMAP 143
• IDENT 113; ICMP echo reply
• If Plesk is installed: Ports open per Plesk requirements SoftLayer assigned Public
• Linux Firewall Internet address
• IPTables is installed
Primary Subnet
• APF – Advanced Policy Firewall
Public VLAN
• Others: IPFW, SmoothWall, IPCop, Ebox
Customer Optional:
Note: Portal • Load Balancer
• Application
Software Firewall does not meet IBM service security requirements Accelerator
SoftLayer
Firewall Public Network
Administrator Frontend Customer
Routers (FCR)
SSL
User The Internet
Standard Firewall Service Monthly
Standard Hardware Firewall
10Mbps Hardware Firewall $49.00
• Shared FortiGate 3950B Firewall 100Mbps Hardware Firewall $99.00
• Multi-tenant use of FortiGate hardware firewall 1Gbps Hardware Firewall $199.00
2Gbps Hardware Firewall (in select $399.00
• Virtual Firewall is applied to an individual server Data Centers)
• Sold based on Port speed – Can be ordered with the purchase of server 10Gbps Hardware Firewall (in $899.00
select Data Centers)
• Protects Public Internet interface only
• Provisioned from the Customer Portal without service interruption
• Managed through Customer Portal (or API) - simplified user interface with
Private VLAN
limited configuration options
• Firewall rules apply for all IPs addresses assigned to a single server
• Upto 50 firewall rules
• Portable IP addresses can be protected, but this can not be configured through the
vNIC vNIC SoftLayer
Portal and requires raising manual service ticket Managed
App App
VSI VSI
Notes: vNIC vNIC
• Standard Hardware Firewall is strictly for filtering traffic by IP address and SoftLayer assigned Public Internet addresses
port. It does not support VPN termination, NAT, DMZ, Intrusion prevention
and Anti-virus – if you need those, use Fortigate Security Appliance. Primary Subnet (Public IPs)
Public VLAN
• Standard Firewall only filters inbound traffic - outbound traffic is not blocked
• You can not have Standard Hardware Firewall (shared) and Dedicated
Customer
Hardware Firewall on same Public VLAN Firewall Portal
Administrator SoftLayer Public
Network
SSL
User The Internet
Dedicated Hardware Firewall Dedicated Firewall Service Monthly
1Gbps Dedicated Hardware $999.00
• Dedicated FortiGate Firewall Firewall
1Gbps Dedicated Hardware $1,998.00
• Protects one, multiple or even all servers on the same Public VLAN Firewall with High Availability
• Protects Public Internet interface only
• High Availability option
• available as new order only; cannot be upgraded or downgraded
• Provisioned from the Customer Portal without service interruption
• Managed through Customer Portal (or API) - simplified user interface with
Private VLAN
limited configuration options
• no direct login to FortiGate firewall
Notes:
• Dedicated Hardware Firewall is strictly for filtering traffic by IP address and vNIC vNIC SoftLayer
port. It does not support VPN termination, NAT, DMZ, Intrusion prevention App App
VSI VSI Managed
App
vNIC vNIC
and Anti-virus – if you need those, use Fortigate Security Appliance
• Dedicated Firewall only filters inbound traffic, outbound traffic is not blocked SoftLayer assigned Public Internet addresses
• Portable IP addresses can be protected, but this can not be configured Primary Subnet (Public IPs)
through the Portal and requires raising manual service ticket Public VLAN
• You can not have Standard Hardware Firewall (shared) and Dedicated
Hardware Firewall on same Public VLAN Customer
Firewall Portal
• Upto 50 firewall rules Administrator SoftLayer Public
Network
SSL
User The Internet
FortiGate 300 Service Monthly
FortiGate 300 series Security Appliance
Fortigate® Security Appliance $999.00
• Dedicated Fortigate hardware Fortigate® Security Appliance $1,998.00
• FortiGate 310B or 300C with High Availability
• High performance firewall protection

• up to 8 Gbps firewall performance SoftLayer Private Network
• up to 4.5 Gbps IPSec VPN performance Private VLAN

• Filters inbound and outbound traffic
• Upto 20,000 firewall rules
• Protects Public Internet interface only vNIC vNIC SoftLayer
• for the entire customer network at a SoftLayer site App App
VSI App Managed
VSI
• can protect multiple VLANs via a SoftLayer ticket request – VLAN vNIC vNIC
trunking to FortiGate firewall

SoftLayer assigned Public Internet addresses
• Security Appliance must be administered by the Customer

• Customer has direct access to FortiGate's native management tools Primary Subnet (Public IPs)
Public VLAN
• allows additional security capabilities to be enabled:
• NAT is available, but not officially supported by SoftLayer Primary Subnet (Public IPs)
Public VLAN
• IPSec VPN to Internet only – not to Private Network
• Intrusion prevention
• Anti-virus – you need a separate contract
Firewall
• See: http://www.fortinet.com/products/fortigate/310B.html Administrator SoftLayer Public
Network
SSL
User The Internet
Internet Firewalls 5 of 6 SoftLayer Private Network

Optional: Optional:
Vyatta Community Edition or VyOS on Virtual Server Instance Network Storage Services
• Brocade ended Vyatta Community Edition development to V6.6R1 • Shared NAS / FTP • Evault
• Community Edition is still available from SoftLayer for free • Dedicated SAN • LockBox
• VyOS is a new open community fork of Vyatta, a Linux-based network • OS Updates
operating system: http://vyos.net/wiki/Main_Page • IPMI over Ethernet
• Customer needs to order and install VyOS – not available from SoftLayer • Monitoring
• Security, etc.
• Vyatta CE or VyOS is Configured and Administered by the Customer
MBR
• Hosts default gateway has to point to Vyatta's Private IP address BCR
• Vyatta CE and VyOS provides: Private VLAN
• Can terminate IPSec VPN tunnels Primary Subnet (10.x.x.x/26)
• Network Address Translation (NAT)
• Firewall Services
Access to servers and Vyatta on Private VLAN

• Router Services vNIC vNIC SoftLayer
Managed
• Can protect Private VLAN VSI VSIApp
• Vyatta is not a DDOS mitigation tool vNIC
• High Availability with two Vyattas can be configured manually

• Note: Hosts on SoftLayer Private LAN have 10.x.x.x addresses, NAT may
be required to avoid address overlap
SoftLayer assigned Public Internet addresses
Primary Subnet
Customer Data Center Public VLAN
Application SoftLayer
Customer’s Firewall with Your Firewall Public Network
IPSec VPN termination Administrator
CE SSL
Private Addresses The Internet
IPsec VPN tunnel
Internet Firewalls 6 of 6 SoftLayer Private Network

Optional: Optional:
Gateway Appliance Network Storage
• iSCSI Shared SAN
Services
• DNS Resolver
• Vyatta Network OS Subscription Edition (SE) deployed on a bare • Shared NAS / FTP • Evault
metal server (Vyatta software is provisioned by SoftLayer) • Object Storage • ......
• Intel Xeon 1230 or 1270 server according to capacity requirement
MBR
• Configured and Administered by the Customer (not by SoftLayer) BCR
• Customer can allocate VLANs to Vyatta and design routing to meet Private VLAN (”Vyatta Transit VLAN”)
unique application requirements Primary Subnet (10.x.x.x/26)
• Software-based virtual network device – provides:
• IPSec VPN tunnels Private VLAN
• Network Address Translation (NAT) Primary Subnet (10.x.x.x/26)
• Firewall and Routing Services Portable Subnet
• Load-balancing
• Can protect both public and private VLANs
Access to servers and Vyatta on Private VLAN

• Connects to Frontend and Backend Routers with transit VLANs
vNIC
• Can route and firewall between multiple VLANs
VM VM
App
• High Availability is available as an option vNIC
• A custom extension for Vyatta that supports multiple virtual routers is
also available: https://github.com/upa/vrf-vyatta
Portable Subnet
Note: You can not have a SoftLayer shared or dedicated firewall service Primary Subnet
and a Vyatta network gateway device assigned to the same VLAN Public VLAN
Primary Subnet
Customer Data Center Public VLAN (Transit VLAN)
Application
Customer’s Firewall with Your Firewall SoftLayer Public Network
IPSec VPN termination Administrator
CE SSL
IPsec VPN tunnel
Local Load Balancing 1 of 3

Shared Local Load Balancing Virtual IP Address Options Monthly
Local Load Balancing - 250 Connections $49.99
• Shared Array Networks APV 6600 Local Load Balancing - 500 Connections $99.99
• One Virtual IP (VIP) address Local Load Balancing - 1000 Connections $199.99
Local Load Balancing - 2500 Connections $499.99
• Distribute traffic within one SoftLayer data center PoD
• Any service can be load balanced, however the most common ones are ports like HTTP (80), HTTPS (443), FTP
Local Load Balancing with SSL Service Monthly
(21), DNS (53), POP3 (110), and SMTP (25) Local Load Balancing with SSL - 250 Connections $99.99
• Can be activated and configured in real-time through Customer Portal Local Load Balancing with SSL - 500 Connections $199.99
Local Load Balancing with SSL - 1000 Connections $399.99
• Limited (basic) configuration options
• Load balancing method may be updated at any time through the
Customer Portal:
• Round robin, lowest latency, least connections, shortest response
• Public Network load balancing only
• Optional SSL offloading to streamline performance Customer 2 Customer ’s environment
Local Load
Customer 1
• Reduces the number of SSL certificates required Balancer
Local Load
Balancer
• by processing and securely decrypting incoming traffic at the load Server 1 Server N
balancer instead of at each individual server
SoftLayer
• Performance: 250-2500 cps (SSL: 250-1000 cps) Assigned VIP
Customer
• Local load balancing is Layer 4 only Portal Primary Subnet
Primary Subnet
• No console access Public VLAN Public VLAN
• Manage through Customer Portal, CLI or API SoftLayer Public SoftLayer Public
Network Network
Your SoftLayer
Administrator
SSL
User The Internet

Dedicated Local Load Balancing Dedicated Load Balancer with SSL Service Monthly
Dedicated Load Balancer with SSL - 15,000 $999.00
• Dedicated Array Networks APV 6600 - Optional high availability Connections*
Dedicated Load Balancer with SSL - 100,000 $1999.00
• Up-to-Eight Virtual IP (VIP) addresses Connections*
• Distribute traffic within SoftLayer data center PoD * Based on average HTTP traffic. Actual values may vary depending
• Any service can be load balanced, however the most common ones are ports like HTTP (80), HTTPS (443), FTP upon application use.
(21), DNS (53), POP3 (110), and SMTP (25)
• Can be activated and configured in real-time through Customer Portal

• Limited (basic) configuration options
• Load balancing method may be updated at any time through the
Customer Portal:
• Round robin, lowest latency, least connections, shortest response
• Public Network VLAN load balancing only
Customer ’s environment
• Optional SSL offloading to streamline performance
Dedicated
• Reduces the number of SSL certificates required Local Load
Balancer
• by processing and securely decrypting incoming traffic at the load Server 1 Server N
balancer instead of at each individual server
SoftLayer
• Performance: 15,000-150,000 cps (SSL: 15,000-150,000 cps) Assigned VIP
Customer
• Local load balancing is Layer 4 only Portal Primary Subnet
Primary Subnet
• No console access Public VLAN Public VLAN
• Manage through Customer Portal, CLI or API SoftLayer Public SoftLayer Public
Network Network
Your SoftLayer
Administrator
SSL
User The Internet

Citrix NetScaler VPX
• Citrix NetScaler VPX is an application delivery controller deployed on SoftLayer platform to accelerate application
performance – in addition:
• Citrix Netscaler can also be used as a load balancer
• in addition to load balancing, it provides firewall /
application security, SSL VPN capabilities,
application performance monitoring, content
Private VLAN
caching, encryption, acceleration, L7 (application- Primary Subnet (10.x.x.x/26)
based) filtering, and priority queueing
• SSL offloading to streamline performance
• Content caching, compression, firewall
• Load balancing Public and Private Network
Access to servers on Private VLAN

• Standard and Platinum versions available
vNIC SoftLayer
vNIC vNIC vNIC vNIC
• High availability configuration is supported Citrix
Managed
App App Web Web
Server Server Server Server NetScaler
1 N 1 N VPX
vNIC
Primary Subnet
Public VLAN
Your SoftLayer SoftLayer Public

Administrator Network
SSL
User The Internet
Interconnecting SoftLayer with

IBM Strategic Outsourcing Customers
Interconnecting SoftLayer with an IBM Customers

SoftLayer can be interconnected with IBM Customers in multiple ways:
1 Connecting SoftLayer over the Internet without link encryption

2 Connecting SoftLayer over the Internet with link encryption – Public Network
3 Connecting SoftLayer over the Internet with link encryption – Private Network
4 Connecting SoftLayer over the Internet – multi-VLAN support
5 Connecting SoftLayer via Direct Link – Routing without NAT
6 Connecting SoftLayer via Direct Link – NAT/NAPT on Customer Router
7 Connecting SoftLayer via Direct Link – GRE tunneling with no overlapping addresses
8 Connecting SoftLayer via Direct Link – GRE tunneling with IP Alias Addresses
9 Connecting SoftLayer via Direct Link – GRE tunneling with partially overlapping addresses
10 Connecting SoftLayer via Direct Link – GRE tunneling to Virtual Overlay Network
1. Connecting SoftLayer over the Internet without link encryption
Suitable for public data, or if applications encrypt the data

Services Network
1. Purchase SoftLayer account and required virtual (VSI) and/or bare metal server(s)
Optional: Optional:
• For bare metal servers, select: single or redundant NICs and interface speed Network Storage Services
2. Obtain public Internet address(es) from SoftLayer • iSCSI Shared SAN • DNS Resolver
• Select: Network port speed and Internet bandwidth • Dedicated SAN • LockBox
3. Obtain SoftLayer Standard or Dedicated Firewall (optional, but highly recommended) • Object Storage • Provisioning
• OS Updates
4. Design and implement the solution and the network inside SoftLayer • Software Repository
• Servers, Application, VLANs, Subnets • Monitoring
• Servers and Applications use SoftLayer provided public Internet addresses • Security, etc.
• Setup SoftLayer firewall rules MBR
BCR
5. Request AT&T (or other Communications Service Provider) to provide an Internet Private VLAN
access and to configure Internet facing Firewall (to set the firewall rules) Primary Subnet (10.x.x.0/26)
• Do you need redundant Internet connection and DDoS protection on customer side? Access to resources
SoftLayer has multi homed, redundant Internet connections. On Private VLAN
vNIC SoftLayer
SoftLayer Application Managed
VSI
IMS
vNIC
Customer SoftLayer allocated Internet addresses

IBM Administrator Portal
outside IBM network Primary Subnet (Public Addresses)
Public VLAN
Management through
SSL VPN over the Internet
DDCN Architecture
Shared Frontend Customer
EP or CP 1G SoftLayer VPN Routers (FCR)
Application Customer’s
Firewall Concentrators
Customer’s Internet address
SoftLayer assigned Internet address

Public Addresses The Internet
2. Connecting SoftLayer over the Internet with link encryption
Secure the Internet connection with IPsec VPN using FortiGate Appliance
Services Network
1. Purchase SoftLayer account and required virtual (VSI) and/or bare metal server(s)
Optional: Optional:
• For bare metal servers, select: single/redundant NICs and interface speed Network Storage Services
2. Obtain public Internet address(es) from SoftLayer • iSCSI Shared SAN • DNS Resolver
• Select: Network port speed and Internet bandwidth • Dedicated SAN • LockBox
3. Obtain FortiGate 300 series Security Appliance for IPsec VPN connection • Object Storage • Provisioning
• OS Updates
• Standard and Dedicated Hardware Firewalls do not support IPsec VPN • Software Repository
4. Design and implement the Solution and the Network inside SoftLayer • IPMI over Ethernet
• Monitoring
• Servers, Application, VLANs, Subnets
• Security, etc.
• Servers and Applications use SoftLayer provided public Internet addresses
5. Configure IPsec VPN tunnel in FortiGate 300 series Security Appliance using SSL VPN MBR
to access Fortigate BCR
Private VLAN
6. Request AT&T (or other Communications Service Provider) to provide an Internet Primary Subnet (10.x.x.0/26)
access and to configure the Internet facing Firewall (set the firewall rules)
Access to resources
• Do you need redundant Internet connection and DDoS protection on Customer side? On Private VLAN
SoftLayer has multi homed, redundant Internet connections. vNIC SoftLayer

SoftLayer Application Managed
• Do you need NAT on customer’s firewall ? VSI
IMS
vNIC

Public VLAN
Management through
DDCN Architecture
Shared Frontend Customer
EP or CP 1G SoftLayer VPN Routers (FCR)
Firewall Concentrators
Customer’s Internet address
IPsec VPN tunnel
CE SoftLayer assigned Internet address
Public Addresses The Internet
3. Connecting SoftLayer Private Network over the Internet with link encryption – single VLAN
Secure the Internet connection with IPsec VPN using Vyatta CE or VyOS installed to a
Virtual Server Instance (VSI) Services Network
1. Purchase SoftLayer account and at least one virtual (VSI) for Vyatta – and additional Optional: Optional:
Network Storage Services
VSIs and bare metal servers as required • iSCSI Shared SAN • DNS Resolver
2. VSI’s public Internet address will be used by Vyatta • Shared NAS / FTP • Evault
• Select required Internet bandwidth • Object Storage • Provisioning
3. Obtain Vyatta CE or VyOS software and install it to VSIs • OS Updates
• Do you need redundant Vyatta design? • IPMI over Ethernet
4. Design and implement the Solution and the Network inside SoftLayer • Monitoring
• Servers, Applications, VLANs and Subnets • Security, etc.
• Servers and Applications use SoftLayer assigned Private 10.x.x.x addresses MBR
• Modify routing on the SoftLayer Hosts to point to Vyatta as a gateway BCR
• Define NATing on Vyatta to avoid possible 10.x.x.x address overlap
Private VLAN
• Configure the IPSec VPN tunnel – could also use Generic Routing Encapsulation Primary Subnet (10.x.x.0/26)
(GRE), or OpenSSL VPN
SoftLayer allocated 10.x.x.x addresses
Access to resources
On Private VLAN
5. Request AT&T (or other Communications Service Provider) to provide an Internet SoftLayer
vNIC
access and to configure the Internet facing Firewall (set the firewall rules) Application Managed
SoftLayer VSI
• Do you need redundant Internet connection and DDoS protection on EP side? IMS
vNIC
SoftLayer has multi homed, redundant Internet connections.
Public VLAN
Management through
DDCN Architecture
Frontend Customer
EP or CP 1G Routers (FCR)
Firewall
Customer’s Private address
IPsec VPN tunnel
CE SoftLayer assigned 10. or NATed address
4. Connecting SoftLayer over the Internet – multi-VLAN support
Secure the Internet connection with IPsec VPN using Gateway Appliance (Vyatta)
Services Network
1. Obtain a SoftLayer account and Gateway Appliance (Vyatta)
Optional: Optional:
• Vyatta will become the default gateway – all traffic will route through it Network Storage Services
2. Obtain additional VSIs and bare metal servers as needed • Evault
• Shared NAS / FTP
3. Gateway Appliance’s public Internet address will be used by Vyatta • Dedicated SAN • LockBox
• Object Storage • ......
• Select Network port speed and Internet bandwidth
• Gateway Appliance allows you to connect and route multiple VLANs MBR
• Do you need redundant Gateway / Vyatta design? BCR
4. Design and implement the Solution and the Network inside SoftLayer Private VLAN (Transit VLAN)
• Servers, Application, VLANs, Subnets and Vyatta Firewalling / Routing between Primary Subnet (10.x.x.0/26)
VLANs
Private VLAN
• Applications have SoftLayer assigned Private 10.x.x.x addresses
• Define NATing on Vyatta to avoid possible 10.x.x.x address overlap Primary Subnet (10.x.x.0/26)
802.1q
• Configure the IPSec VPN tunnel trunk Portable 10.x.x.x
SoftLayer allocated 10.x.x.x addresses
5. Request AT&T (or other Communications Service Provider) to provide an Internet vNIC
Application
access and to configure the Internet facing Firewall (set the firewall rules) VM VM
SoftLayer
• Do you need redundant Internet connection and DDoS protection on EP side? vNIC
IMS
SoftLayer has multi homed, redundant Internet connections.
Customer Portable Subnet
outside IBM network 802.1q Primary Subnet
trunk Public VLAN
Management through
SSL VPN over the Internet Primary Subnet
DDCN Architecture
Public VLAN (Transit VLAN)
EP or CP 1G
Application Customer’s Frontend Customer
Firewall Routers (FCR)
Customer’s Private address
IPsec VPN tunnel
CE SoftLayer assigned 10. (or NATed) address
Direct Link
Extends customer premises network into SoftLayer Private Network SoftLayer Network
Location PoP Provider
• Available in 20 SoftLayer NPoPs (Network Points of Presence) North America
Atlanta, GA ATL01 Telx
• Customer orders a dedicated connection from CSP (Communication Service Provider) to Chicago, IL CHI01 Equinix
SoftLayer Network PoP and a cross-connection to SoftLayer XCR (X-connect) router Denver, CO DEN01 Coresite
Dallas, TX DAL03 Equinix
• private 1 or 10 Gbps connection from customer’s data center to customer’s SoftLayer VLAN
Los Angeles, CA LAX01 Coresite
• unfettered access to customer’s servers on SoftLayer platform Miami, FL MIA01 Terremark
• data is isolated in a secure private virtual network, but not encrypted – encryption may need to New York City, NY NYC01 Telx
be added to protect sensitive, business-critical data if data is not encrypted on application San Jose, CA SJC02 Equinix
Seattle, WA SEA02 The Westin
• all customers share SoftLayer private network bandwidth Toronto, Ont, CA TOR02 Cologix
• X-connect router provides non-redundant connection – two Direct Link connections to two Washington, D.C. WDC02 Equinix
SoftLayer data center is needed for full redundancy APAC
Hong Kong HKG01 Pacnet
• Flat monthly fee for each Direct Link based on the port speed Customer select’s Melbourne MEL02 NextDC
Singapore SNG01 Equinix
• Traffic across Direct Link and on SoftLayer backbone between data centers is free and
Sydney SYD02 Equinix
unmetered Tokyo TOK01 Equinix
EMEA
• Access link and CE router cost up to the SoftLayer X-connect router is Customer
Amsterdam AMS02 Equinix
responsibility Frankfurt FRA01 InterXion
London LON01 TeleCity
Customer data center Paris PAR02 Equinix
SoftLayer data center
Access link Monthly Bandwidth

alternatives Cost (In/Out)
SoftLayer Network PoP 1 Gbps $147 FREE
10 Gbps $997 FREE
CE Dedicated Access Link from CSP CE XCR BBR
- MPLS, Wave service,... Customer VLAN
Customer Network SoftLayer Private Network
SoftLayer Interconnect
Extends customer premises network into SoftLayer CMS Data
Center link SoftLayer PoP code Provider
• SLI is available at 12 x IBM Cloud Managed Services (CMS) data centers North America
Boulder, US A Denver, CO DEN01 Coresite
• 10 Gbps connections from Frontbones to two SoftLayer data centers B Denver, CO DEN01 Coresite
RTP, US A Atlanta, GA ATL01 Telx
• Enables private 1 or 10 Gbps redundant connections from Customer’s data B Washington, D.C. WDC02 Equinix
center to servers in CMS and SoftLayer Toronto, CA A Toronto, CA TOR02 Cologix
B Toronto, CA TOR02 Cologix
• Logical Connection for existing CMS Frontbone connected customers Europe
Portsmouth, UK A London LON01 TeleCity
• Physical Connection new 1/10 Gbps access circuits to CM Frontbone B London LON01 TeleCity
Lisbon, PT A Amsterdam AMS02 Equinix
• access link cost to Frontbone is customer’s responsibility B Frankfurt FRA01 InterXion
• data is isolated in a secure private virtual network, but not encrypted – Barcelona, ES A Amsterdam AMS02 Equinix
B Frankfurt FRA01 InterXion
encryption may need to be added to protect sensitive, business-critical data
Montpellier, FR A Amsterdam AMS02 Equinix
• all customers share the Frontbone to CMS and SoftLayer connections B Frankfurt FRA01 InterXion
Ehningen, DE A Amsterdam AMS02 Equinix
• One time connection charge and flat monthly fee for each connection, B Frankfurt FRA01 InterXion
based on the port speed selected – data traffic is free and unmetered Winterthur, CH A Amsterdam AMS02 Equinix
B Frankfurt FRA01 InterXion
AP and LA
Tokyo, JP A Tokyo TOK01 Equinix
B Tokyo TOK01 Equinix
Hortolandia, BR A Hortolandia, BR
IBM CMS data center B Hortolandia, BR
Sydney, AU A Sydney SYD02 Equinix
SoftLayer data center B Sydney SYD02 Equinix
Customer data center
SoftLayer Feature One time Monthly

CMS Private Network Network Code Component charge (MRC)
Customer VLAN PoP
4455 Physical Conn - 1 Gbps $1,000 $250
Dedicated
Access 4456 Physical Conn – 10 Gbps $1,000 $1,500
CE Link BBR Customer VLAN
4458 Logical Connection $1,000 $250
Customer Network SoftLayer Private Network
Frontbone
SoftLayer Interconnect…
Customers connect either with Physical or a Logical connection LAX
BLD SEA
• Physical Connection – New 1 or 10 Gbps access link to Frontbone routers
SJ
• each physical connection comes with a Logical connection
DEN
• access link costs to Frontbone is customer’s responsibility CHI
• all customers share the Frontbone to CMS and SoftLayer connections DAL
• SoftLayer Interconnect can provide redundant connectivity HOU
• Logical Connection – for Customers that are already have access link to Frontbone WDC
RTP
ATL
MIA
NYC
IBM CMS data center
TOR TOR
SoftLayer data center
HOR MEX
Customer data center SoftLayer HOR
Network NHB
PoP LON
CMS Private Network
Customer VLAN LIS PAR
Customer BBR SoftLayer Private Network
CE
Access Customer VLAN BAR AMS
Link(s)
Customer Network FRA
MOP
Frontbone SoftLayer data center
SIN
WIN
TOK
SoftLayer Data Center EHN HGK
SoftLayer Network PoP TOK SYD
SoftLayer Backbone Network (N x 10 Gbps) BBR SoftLayer Private Network MEL
SYD
SoftLayer Interconnect (N x 10 Gbps) Customer VLAN
Customer access link ( 1 or 10 GBPS)
5. Connecting SoftLayer via Direct Link – Routing without NAT
Use SoftLayer assigned customer addresses in servers on customer premises

Services Network
1. Obtain a SoftLayer account and virtual (VSI) or bare metal server(s)
Optional: Optional:
2. Design and implement the Solution and the Network inside SoftLayer • iSCSI Shared SAN • DNS Resolver
• Servers, Application, VLANs, Subnets • Dedicated SAN • LockBox
• Servers and Applications use Private 10.x.x.x SoftLayer defined addresseses • Object Storage • Provisioning
• OS Updates
3. Request SoftLayer to provide cross connection to external customer • Software Repository
• You must use SofLayer defined 172.16.x.x addresses on customer data • Monitoring
center – Note: verify that this is acceptable by the customer • Security, etc.
• SoftLayer assigns IP addresses from 172.16.0.0/12 for a Direct Link
connection – 8 as a default – if more than 8 addresses are needed, you can MBR
request additional addresses through ticket to SoftLayer with justification BCR
• The servers on customer premises must use 172.x.x.x addresses Private VLAN
• Traffic between 172.x.x.x and 10.x.x.x subnets will be routed without NAT Primary Subnet (10.x.x.0/26)
• Add Gateway Appliance [Vyatta] if the connection has to be encrypted SoftLayer allocated 10.x.x.x addresses
4. Request AT&T (or other Communications Service Provider) to provide dedicated BBR
vNIC SoftLayer
connection and CPE routers between customer and SoftLayer X-connect router Application VSI Managed
• SoftLayer Direct Connect is non-redundant router, do you want to have vNIC
redundant connection from your data center to X-connect router? X-connect
Router
Primary Subnet
Public VLAN
DDCN Architecture
SoftLayer assigned 172.x.x.x addresses Frontend Customer
EP or CP Routers (FCR)
Firewall SoftLayer assigned 10.x.x.x address CE
CE The Internet
SL defined 172.x.x.x Dedicated Connection (MPLS, Wave,...)
6. Connecting SoftLayer via Direct Link – NAT/NAPT on Customer Router
Network Address Translation at the Customer Premises Router

Services Network
1. Obtain a SoftLayer account and virtual (VSI) or bare metal server(s)
Optional: Optional:
2. Design and implement the Solution and the Network inside SoftLayer • iSCSI Shared SAN • DNS Resolver
• Servers, Application, VLANs, Subnets • Dedicated SAN • LockBox
• Servers and Applications use Private 10.x.x.x SoftLayer defined addresseses • Object Storage • Provisioning
• OS Updates
3. Request SoftLayer to provide cross connection to external customer • Software Repository
• SoftLayer assigns 8 IP addresses in 172.16.0.0/12 for a Direct Link • Monitoring
connection as a default – if more than 8 addresses are needed, you can • Security, etc.
request additional addresses through ticket to SoftLayer with justification
• Perform 172.x.x.x to Customer Private address NAT (i.e. 192.x.x.x) at the CE MBR
router (can also be done on Customer site router or firewall) BCR
• Traffic between Customer Private (i.e. 192.x.x.x) and SoftLayer 10.x.x.x Private VLAN
subnets will be routed with NAT translation Primary Subnet (10.x.x.0/26)
• Some of IP aware environment which require Single Sign On, Windows SoftLayer allocated 10.x.x.x addresses
Active Directory, Oracle,… can not be built with NAT solution
• NAT solution introduces NAT table maintenance BBR
vNIC SoftLayer
• Add Gateway Appliance [Vyatta] if the connection has to be encrypted Application VSI Managed
vNIC
4. Request AT&T (or other Communications Service Provider) to provide dedicated X-connect
Router
connection and CPE routers between customer and SoftLayer X-connect router
• SoftLayer Direct Connect is non-redundant router, do you want to have Primary Subnet
redundant connection from your data center to X-connect router? Public VLAN
172.x.x.x
DDCN Architecture
NAT
Private addresses (i.e. 192.x.x.x) 172.x.x.x -> Frontend Customer
EP or CP <- 192.x.x.x Routers (FCR)
CE The Internet
Private (i.e. 192.x.x.x) Dedicated Connection (MPLS, Wave,...)
7. Connecting SoftLayer via Direct Link – GRE tunneling with no overlapping addresses
GRE tunnel between Customer Premises and SoftLayer without NAT translation
Services Network (10.0.0.0/14)
1. Obtain a SoftLayer account and Gateway Appliance (Vyatta)
Optional: Optional:
2. Obtain additional VSIs and bare metal servers as needed Network Storage Services
3. Gateway Appliance allows you to connect and route multiple VLANs • Evault
• Shared NAS / FTP
• Do you need redundant Gateway / Vyatta design? • Dedicated SAN • LockBox
• Object Storage • ......
4. Design and implement the Solution and the Network inside SoftLayer
• Servers, Application, VLANs, Subnets, Vyatta MBR
• Servers and Applications use Private 10.x.x.x SoftLayer defined addresseses BCR
5. Request SoftLayer to provide cross connection to external customer Private VLAN (”Vyatta Transit VLAN”)
• SoftLayer assigns 8 IP addresses in 172.16.0.0/12 for a Direct Link Primary Subnet (10.x.x.0/26)
connection as a default Private VLAN
• Setup GRE tunnel between Gateway Appliance [Vyatta] and Customer
Firewall (or router)
• Traffic between Customer Private (i.e. 192.x.x.x) and 10.x.x.x subnets will flow Portable 10.x.x.x
without NAT translation SoftLayer allocated 10.x.x.x addresses
• The connection can be encrypted BBR

vNIC vNIC
Application
6. Request AT&T (or other Communications Service Provider) to provide dedicated VM VM
connection and CPE routers between customer and SoftLayer X-connect router
X-connect
• SoftLayer Direct Connect is non-redundant router, do you want to have Router
redundant connection from your data center to X-connect router?
Primary Subnet
Public VLAN
172x.x..x Primary Subnet

DDCN Architecture
EP or CP Private Subnet addresses
Firewall SoftLayer assigned 10.x.x.x address CE Routers (FCR)
CE Dedicated Connection (MPLS, Wave,...) The Internet

Private (i.e. 192.x.x.x) GRE tunnel
8. Connecting SoftLayer via Direct Link – GRE tunneling with IP Alias Addresses
IP Aliasing is associating more than one IP address to a network interface

• All Linux distributions and Windows servers support IP Aliasing Optional: Optional:
• With IP Aliasing servers will have multiple IP addresses and connect to two Network Storage Services
Subnets on one Private VLAN • iSCSI Shared SAN • DNS Resolver
• Alias addresses can be routed with Gateway Appliance [Vyatta] through GRE • Dedicated SAN • LockBox
tunnel to Customer premises network without NAT translation • Object Storage • ......
• Servers can communicate with SoftLayer Services using Primary IP addresses MBR
• Management access is through servers Primary addresses BCR
• Addresses that can not be used with IP Aliasing in SoftLayer:
Private VLAN (”Vyatta Transit VLAN”)
• Primary subnets directly connected to Vyatta
• SoftLayer services network (10.0.0.0/14) Primary Subnet (10.x.x.0/26)
• The /31 assigned to the Direct Link port on the XCR (10.x.x.x/31)
Private VLAN
• SoftLayer routeable 10.x.x.x IP’s assigned to the Vyatta transit (10.x.x.0/26)
• Customer’s VLAN Primary subnet (10.x.x.0/26) Primary Subnet (10.x.x.0/26)
• Refer to “What IP ranges do I allow through the firewall?” for exact address ranges: Portable 10.x.1.0/26
http://knowledgelayer.softlayer.com/faq/what-ip-ranges-do-i-allow-through-firewall
Alias Primary
• Gateway Appliance [Vyatta] is needed to perform routing and to set up the
GRE tunnel BBR
Application
• Design routing and name resolution with 10.x.1.x
Alias addr
X-connect
Router
Primary Subnet
Public VLAN
10.x.x.x/
31 Primary Subnet
DDCN Architecture
EP or CP Private 10.x.x.x Subnet addresses
Firewall SoftLayer assigned Alias 10.x.x.x address CE Routers (FCR)

Private 10.x.x.x GRE tunnel
9. Connecting SoftLayer via Direct Link – GRE tunneling with partially overlapping addresses
Find 10.x.x.x subnet from SoftLayer that does not overlap with Customer
premises network
Optional: Optional:
1. Even when 10.0.0.0/8 is used in Customer premises network, not all 10.0.0.0/8 Network Storage Services
subnets necessarily overlap with SoftLayer network • iSCSI Shared SAN • DNS Resolver
2. Identify the network address spaces used on Customer premises network
3. Find if there is a possibility to obtain non-overlapping subnets – ask Cloud • Object Storage • ......
technical sales to know the current private network IP subnet assignment
MBR
• Servers and Applications use Private 10.x.x.x SoftLayer defined addresseses
BCR
• Subnets that don’t overlap Customer premises network may not always be
Private VLAN (”Vyatta Transit VLAN”)
available
4. If non-overlapping subnets are available, the subnets must be ordered to secure
them Private VLAN
5. Request SoftLayer to provide cross connection to external customer Primary Subnet (10.x.x.0/26)
6. Setup GRE tunnel between Gateway Appliance [Vyatta] and Customer Firewall (or Portable 10.x.x.x
router)
• Traffic between Customer Private 10.x.x.x and SoftLayer 10.x.x.x subnets will BBR
vNIC vNIC
flow without NAT translation Application
VM VM
• The connection can be encrypted
X-connect
Router
Primary Subnet
Public VLAN
172x.x..x Primary Subnet

DDCN Architecture
EP or CP Private 10.x.x.x addresses
Firewall SoftLayer assigned 10.x.x.x address CE Routers (FCR)

Private (10.x.x.x) GRE tunnel
10. Connecting SoftLayer via Direct Link – GRE tunneling and Virtual LAN Overlay Network
Overlay network technology enables bringing customer’s private addresses to

Optional: Optional:
1. With the Virtual LAN overlay the virtual network is decoupled from the physical Network Storage Services
network network thus enabling independent subnets from the real IP network • iSCSI Shared SAN • DNS Resolver
2. Overlay network uses encapsulated tunnels between software virtual switches that • Dedicated SAN • LockBox
are configured and managed by centralized controller • Object Storage • ......
3. There are several overlay solutions in the market, such as IBM SDN VE (Virtual MBR
Environments) and VMware NSX BCR
4. With overlay network solution the cloud connectivity becomes more seamless as it
enables routing between customer’s network and SoftLayer deployed applications Private VLAN - Transit Private VLAN - Management
Primary Subnet Primary Subnet
without a need to avoid overlapping SoftLayer reserved 10.x.x.x address space Portable Subnet
5. Request SoftLayer to provide cross connection to external customer Private VLAN – VXLAN
6. Setup GRE tunnel between Gateway Appliance [Vyatta] and Customer router (or Primary Subnet
firewall) Portable Subnet
• Traffic between Customer Private 10.x.x.x and virtual LAN overlay 10.x.x.x Private VLAN - Transit
Primary Subnet
subnets on SoftLayer will be routed without NAT translation Portable Subnet
BBR
• The connection can be encrypted
For more information about designing virtual LAN overlay technology, see GTS
App
Software Defined Networking (SDN) and Network Function Virtualization (NFV) NSX Edge
X-connect VM VM
Reference Architecture: https://w3- Router
03.ibm.com/tools/cm/iram/assetDetail/generalDetails.faces?v=*&guid=A2E519EC-7FDB-18DB-B550- VXLAN Transport Zone
D25AFDA416FF vDS vDS
vSphere Host vSphere Host
VMware NSX deployment
172x.x..x
DDCN Architecture
EP or CP Private 10.x.x.x addresses

CE Dedicated Connection (MPLS, Wave,...)

Private (10.x.x.x) GRE tunnel
Example: Private VMware and NSX based Overlay Network
Extending IBM SO Management Tools to SoftLayer
Manage objects on SoftLayer through existing GSSI/SNI to EP or CP connection
1. Define Managed Objects at SoftLayer

2. Design and Configure the SoftLayer environment - including Vyatta Firewall(s) Services Network
• configure IPSec VPN tunnel(s), Firewalling/Routing between VLANs and Subnets Optional: Optional:
• define NATing at Vyatta to avoid 10.x.x.x address overlap Network Storage Services
3. Request AT&T to configure IPsec VPN tunnel to the customer’s firewall • Shared NAS / FTP • Evault
4. Request changes to the GSSI/SNI Customer Firewall (CF) • Dedicated SAN • LockBox
• Note: managed objects must have GSNI routable addresses • Object Storage • Provisioning
• GSNI to Private Addresses NATing is required on the Customer Firewall (CF) • OS Updates
Note: using existing GSNI to EP/CP connection may require two NAT translations • IPMI over Ethernet
• Monitoring
Note: GSSI/SNI - EP/CP connectivity remains same with Direct Link and SoftLayer
• Security, etc.
Interconnect – Management tools and managed objects must use GSNI addresses
MBR
BCR
GSNI You are:
IBM Blue • Not managing customer’s SoftLayer Private VLAN
Management Primary Subnet (10.x.x.0/26)
Tool Access environment
IBM
Firewall • You are managing objects inside SoftLayer allocated 10.x.x.x addresses
Administrator
CR customer’s SoftLayer environment
Centralized Resources
Resource • Management Tools and Managed vNIC SoftLayer
Firewall Managed Managed
Management Objects use GSNI routable addresses – object VSI
Tool SBB at least one (GSNI to Private Address) vNIC
Services Backbone
SR NAT (Network Address Translation) is

SoftLayer allocated Internet addresses
Shared Resources required
Primary Subnet (Public Addresses)
DR Customer Public VLAN
Dedicated Resources Firewall
DDCN Architecture
Frontend Customer
EP or CP GSNI to Private
Routers (FCR)
Addresses NAT
Customer’s
Firewall Customer’s Private address
IPsec VPN tunnel
CE SoftLayer assigned 10. or NATed address
Manage objects on SoftLayer through IBM Internal Interconnect Service and Internet VPN
1. Define Managed Objects at SoftLayer

2. Design and Configure the SoftLayer environment - including Vyatta Firewall (s) Services Network
• configure IPSec VPN tunnel, Firewalling/Routing between VLANs and Subnets Optional: Optional:
• define 10.x.x.x to GSNI address NATing at Vyatta Network Storage Services
3. Open Service Request to Request to TI&A Cloud Network Team • Shared NAS / FTP • Evault
Note: The TI&A Cloud Network Team can implement management connection using • Object Storage • Provisioning
Internet VPN, SoftLayer Direct Connect or SoftLayer Interconnect • OS Updates
• Monitoring
• Security, etc.
GSNI MBR
IBM Blue BCR
Management Private VLAN
Tool Access IBM
Firewall Primary Subnet (10.x.x.0/26)
Administrator
CR SoftLayer allocated 10.x.x.x addresses
Centralized Resources
Management vNIC SoftLayer

Tool Managed Managed
object VSI
SR vNIC
Shared Resources
SoftLayer allocated Internet addresses
Primary Subnet (Public Addresses)

Public VLAN
Resource
Firewall
IIIS SBB Frontend Customer

Services Backbone
Routers (FCR)
GSNI address
IPsec VPN tunnel
GSNI addresses
The Internet
IIIS Service

SoftLayer Network Guide Overview 20150501

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SoftLayer Network Guide Overview 20150501

Transféré par

Droits d'auteur :

Formats disponibles

IBM GTS Architecture and Solution Design

SoftLayer – Networking Guide

SoftLayer - a Global Hosting Leader

Customers 21,000 in 140 countries

Standardized Point of Delivery (PoD) Design

SoftLayer Data Centers and Private Network Footprint Apr 2015

Consistent Performance File Storage [managed by SL]

Wide range of options for building Cloud environments

Web iPhone and iPad Android Windows Mobile Agent

Firewalls IDS and IPS2 Anti-virus/ malware SSL3 cert. management

Load balancers Global DNS4 Domain services CDN5

Network and security

Bare metal servers Virtual server instances

SAN6 NAS7 Object storage Backup Private clouds Big data

Compute and storage Solution sets

SoftLayer Network Overview

Three Tier Network Design

• Individual secure private VLAN per customer

• Geographically redundant DNS

• Cisco Guard / Arbor TMS DDoS protection

SoftLayer Private Backbone

Internet Peering Exchanges

• SoftLayer’s Public Network is IPv6 ready

Network Facility Name City

Network Interfaces - Bare Metal server SoftLayer Private Network

Backend Service Network

Private Network (Blue cables) MBR

• For Internet traffic and customer configured and supported VPNs

Backend Services SoftLayer Private Network

Backend Service Network

• Messaging service Private VLAN

• Physical media shipping service

Customer Portal SoftLayer Private Network

Backend Service Network

• Network Console & Tools • Other Services & Software

Automation and Control SoftLayer Private Network

Backend Service Network

Virtual Local Area Networks 1 of 2

Customer 1 with three bare metal servers and

Customer 2 with one bare metal server and

Customer N with four Virtual Server Instances

Virtual Local Area Networks 2 of 2 Private Network

Backend Service Network

• if the Primary Subnet becomes full, SoftLayer assigns an Additional Primary

Primary IP Addresses SoftLayer Private Network

Backend Service Network

IP Addresses – Public Network Private Network

Backend Services Network

IP Addresses – Private Network Private Network

Backend Services Network

More than one VLAN SoftLayer Private Network

Backend Services Network

address they don’t know Frontend Customer

Connecting to more than one VLAN SoftLayer Private Network

Backend Services Network

• Subject = Private Network Question Portable Subnet

SoftLayer Private Network

• High performance firewall protection

• up to 4.5 Gbps IPSec VPN performance Private VLAN

trunking to FortiGate firewall

• Security Appliance must be administered by the Customer

Internet Firewalls 5 of 6 SoftLayer Private Network

Backend Services Network

Access to servers and Vyatta on Private VLAN