ITEC Speaker PowerPoint Template

1
OAGITM ConferenceCNIC Network Presentation
August 10, 2005
Brian Sipe, State PM Mike Dawson, Technical Lead
2
Opening Remarks

• Focus of the Team
• Doing things right (efficiency) versus
• Doing the right things (effectiveness)
• Illustration Peter F. Drucker (Henry Ford vs.
  Buggy Whip Mfg.)
• Turner Cook Buggy Whip Co. had the best
  buggy whips ever made, their sales were the
  highest they had ever been, they were very
  efficient and very profitableright up until
  the day that Henry Ford rolled his first Model T
  off the assembly line.
• Individually we as autonomous Agencies might have
  the best and most efficient Banyon Vines
  Network, or best IPX traffic, or best WINS
  install basebut Technology is changing and in a
  consolidated effort weve got to be effective
  as well.
• Point weve purposely stayed away from how
  things are done today to how could it be done
  in the future given our changing Technology
• Introduction to Mike Dawson My Chauffeur

3
CNIC Network WorkgroupTeam Membership Detailed
Design

• Accenture
• Chris Bell, Mike Dawson, Zachary Gustafson, David
  Heimlicher
• DAS
• Frank Hoonhout, Steve Nelson
• DOC
• Alexandra Smith
• DOR
• Desi Villaescusa
• DHS
• Al Grapoli, Duane Smith
• ODOT
• Dennis Jorgenson, Randy Whitehouse
• State PM / Contracted PM
• Brian Sipe / Doug Freimarck

4
CNIC Network Work Group

• Group chartered to define Network Detail Design
  for CNIC
• Group met weekly to discuss the design components
  and work through issues
• Topics discussed include
• Data Center Local Area Network (LAN) Design
  Recommendations
• Core Network Design Recommendations
• Wide Area Network (WAN) Design Recommendations
• Remote Access Design Recommendations
• Network Management Design Recommendations (Tools)
• Network Infrastructure Services Design
  Recommendations
• Network Naming Convention Design Recommendations

5
Data Center LAN Design Recommendations

• SDC Security Zones
• Isolate low, medium, and high trust zones w/
  firewalls and physically separate the network
  equipment.
• Allow for additional, higher-security
  compartments within the High Trust Zone
• SDC Logical Layout
• Core Layer Routers Cisco 7600s
• Main Distribution Frames Cisco 6500 Switches /
  Routers (Layers 2 3)
• Rack Layer Distribution Cisco 6500 Switches
• Access Layer Cisco 3750 Switches
• Cross Zoned Firewalls Checkpoint, built on
  hardened O/S (Linux kernel)
• Production Environment All Network Equipment
  deployed in redundant pairs

6
Data Center LAN Design Recommendations(continued)

• SDC Physical Layout
• Core Routers deployed in Telecom Room at fiber
  demarc
• Main Distribution Switches at opposite ends of
  raised floor area
• Rack Distribution Switches (redundant pairs) in
  center rack of each row
• Access Switches (redundant pairs) in each
  server rack
• Connect Core Routers to Main Distribution
  Switches via 1 GB under floor fiber
• Connect Main Distribution Switches to Rack
  Distribution Switches via 10GB under floor
  fiber
• Connect Rack Distribution Switches to Access
  Switches via 1GB overhead fiber
• Connect Access Switches to Servers via in-rack
  copper or fiber at 100MB or 1GB

7
Data Center Logical Network Design
8
Data Center LAN Design Recommendations(continued)

• SDC IP Addressing Scheme
• Use private IP Addresses for all servers without
  a specific requirement for public IP addresses
• Use public IP Addresses ranges for servers in low
  trust zone that require public addresses and for
  NATTING on privately addressed servers that
  require access from outside the State Network
• SDC VLAN Design
• Create unique VLAN ranges for each Trust Zone and
  each environment within the Trust Zones
• Do not allocate VLAN numbers higher than 999
• Allocate 10 VLANS for management, 390 for the low
  Trust Zone, 300 for the medium Trust Zone, 200
  for the high Trust Zone, and 100 for higher-Trust
  compartments

9
Core Network Design Recommendations

• Salem Metropolitan Area Network (MAN)
• Install fiber to close the MAN loop between C4
  building State Penitentiary
• Install fiber to add a dual-entry connection to
  the MAN loop for the SDC
• Extend the Qwest SHNS Ring to include the SDC
• Distributed Network Core
• Close the network core loop with a temporary
  100MB connection between Eugene and Bend, until a
  more cost effective permanent 100MB connection
  can be negotiated
• Upgrade the core routers in Bend and Burns to
  Cisco 7600s
• Utilize MPLS on the network core and distribution
  layers to isolate agency traffic
• Maintain existing agency routing protocols
  through initial move, and migrate to a single
  OSPF area design with BGP connections to external
  networks after the first 3 agencies are moved
• Create additional core network nodes in Medford
  and Pendleton

10
Wide Area Network Design Recommendations

• Maintain - the current field office IP addressing
  schemes through the consolidation
• Transition - all field offices to the 10.x.x.x
  address space by the conclusion of the 2005-2007
  biennium
• Utilize - VLAN numbers that provide unique
  identifiers for the various agencies at a field
  office
• Consolidate - WAN circuits at 28 sites across the
  State using MPLS-enabled routers to extend the
  MPLS network to the field office
• Over the course of the 2005-2007 biennium,
  migrate access circuits from frame relay to
  dedicated connectivity for sites that are local
  to the network core nodes (per the ongoing
  analysis by the DAS NOC)

11
Remote Access Design Recommendations

• Dial-up
• Utilize the existing DAS points of presence to
  provide state-wide dial-up access, centralizing
  management of dialup at the SDC
• VPN
• Continue to support agency VPN platforms during
  migration period of SDC
• Standardize on Cisco products for individual
  client-based VPN, centralizing management and VPN
  termination pts. in the low trust zone of the SDC
  LAN
• Standardize on Whale Communications products for
  individual SSL-based VPN, centralizing management
  and VPN termination points in the low trust zone
  of the SDC LAN
• Standardize on Cisco products for site-to-site
  VPN, centralizing management and VPN termination
  pts. in the low trust zone of the SDC LAN
• Allow the CNIC Security Work Group to review and
  possibly modify the VPN recommendations during
  the detailed design stage
• Citrix
• Continue deploying Citrix technology where
  appropriate, centralizing servers and management
  of servers in the low trust zone of the SDC LAN

12
Network Management Design Recommendations (Tools)

• Adopt HP Openview as the Enterprise Management
  Tool
• Adopt Cisco NatKit as the Cisco Device Management
  Tool, assuming that the Cisco advanced services
  contract will be continued at the SDC.
  Otherwise, adopt CiscoWorks as the Cisco Device
  Management Tool
• Adopt a joint solution with Cisco Network
  Analysis Module (NAM), Netscout Network
  Performance Manager and Concord e-Health as the
  Network Monitoring Tool
• Adopt WildPackets Etherpeek NX with iNetTools as
  the Protocol Analysis Tool
• Adopt Solarwinds as the Network Management
  Toolkit
• Adopt Cisco IP Solution Center as the MPLS
  Management Tool
• Adopt AirMagnet Analyzer and Surveyor as the
  Wireless LAN Management Tool

13
Network Infrastructure Services Design
Recommendations

• DNS
• Provide external DNS services for all agencies
  using BIND
• Provide secondary internal DNS services to all
  agencies, establishing a backup to the agency DNS
  services
• Provide primary internal DNS services as an
  optional service to those agencies that wish to
  take advantage of a centralized DNS service
• WINS
• Phase WINS out of the environment in favor of a
  more versatile DNS solution
• DHCP
• Provide centralized DHCP services to the internal
  SDC users and to agencies that want to take
  advantage of a centralized DHCP service
• Other
• Provide DNS, DHCP, and Directory Services using
  Microsoft product sets
• Revisit this product recommendation at the time
  of future directory services consolidation

14
Network Naming Convention Design Recommendations

• Employ names that reflect location, device type,
  trust zone, and environment designator
• Use device type designators for switch (-s),
  router (-r), firewall (-f), wireless root device
  (-w), and wireless client device (-wc)
• Within the SDC MPOE and MDF, adopt the convention
  sdc-LLLL-XN, where
• LLLL is either MPOE or MDF
• X is the device type
• N is a numerical designator to ensure uniqueness

15
Network Naming Convention Design Recommendations
(continued)

• Within the SDC main rack area, adopt the
  convention sdc-RK-XN-AA, where
• R is the row number
• K is the rack letter
• X is the device type
• N is a numerical designator to ensure uniqueness
• A is an additional designator to indicate a trust
  zone other than low and an environment other than
  production
• At field office sites, adopt the convention
  CCC-STREETID-XN, where
• CCC is a three-character city code
• STREETID is a variable length (maximum 8
  characters) location code, which will typically
  reflect the street or address of the facility
• X is the device type designator, as defined above
  in the generic naming conventions
• N is a numerical designator to ensure uniqueness

16
Timeline
2005
2006
2004
2007
Q1
Q4
Q3
Q2
Q1
Q4
Q3
Q2
Q4
Q1
Q2
Build Facility
Stage 0
Architecture
Design
Individual Agency Implementation Planning
Agency Implementation Stage
Project QA
CNIC PMO
17
CNIC Network Work Group

• Questions?
• Comments?
• Piggy-backs?
• Editorials?