1 / 16

OAGITM Conference CNIC Network Presentation

Opening Remarks. Focus of the TeamDoing things right (efficiency) versusDoing the right things (effectiveness)Illustration

chelsea
Download Presentation

OAGITM Conference CNIC Network Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Information Systems Information technology support is provided to all of ODOT’s divisions to enable them to perform their missions. This includes DMV services directly to citizens and to the traveling public through Internet traveler information (Trip Check). Direct services to trucking and automobile-related businesses are provided through various technology delivery mechanisms. ODOT’s internal staff is supported in their job functions via 200+ business application systems that support transportation planning and management, road and bridge design, Project Delivery, highway maintenance, revenue collection and financial management. Highway operations are directly supported through the development and support of Intelligent Transportation Systems. Information Systems supports the communications infrastructure of the agency through its telephone system, email, Intranet and two-way radio communications. Organizations outside of ODOT depend upon access to ODOT’s technology base. These agencies include Law Enforcement Data Systems, the Department of Human Services, Department of Revenue, Parks and Recreation, and the Department of Justice. ODOT data is made accessible to cities and counties as well as to the federal government through the Federal Highway Administration, AAMVA, IRS and others.Information Systems Information technology support is provided to all of ODOT’s divisions to enable them to perform their missions. This includes DMV services directly to citizens and to the traveling public through Internet traveler information (Trip Check). Direct services to trucking and automobile-related businesses are provided through various technology delivery mechanisms. ODOT’s internal staff is supported in their job functions via 200+ business application systems that support transportation planning and management, road and bridge design, Project Delivery, highway maintenance, revenue collection and financial management. Highway operations are directly supported through the development and support of Intelligent Transportation Systems. Information Systems supports the communications infrastructure of the agency through its telephone system, email, Intranet and two-way radio communications. Organizations outside of ODOT depend upon access to ODOT’s technology base. These agencies include Law Enforcement Data Systems, the Department of Human Services, Department of Revenue, Parks and Recreation, and the Department of Justice. ODOT data is made accessible to cities and counties as well as to the federal government through the Federal Highway Administration, AAMVA, IRS and others.

    2. Opening Remarks Focus of the Team Doing things right (efficiency) versus Doing the right things (effectiveness) Illustration – Peter F. Drucker (Henry Ford vs. Buggy Whip Mfg.) Turner & Cook Buggy Whip Co. – had the “best” buggy whips ever made, their sales were the highest they had ever been, they were very “efficient” and very profitable…right up until the day that Henry Ford rolled his first Model T off the assembly line. Individually we as autonomous Agencies might have the “best” and “most efficient” Banyon Vines Network, or best IPX traffic, or best WINS install base…but Technology is changing and in a consolidated effort we’ve got to be “effective” as well. Point – we’ve purposely stayed away from “how things are done today” to “how could it be done in the future” given our changing Technology Introduction to Mike Dawson – My Chauffeur

    3. CNIC Network Workgroup Team Membership – Detailed Design Accenture Chris Bell, Mike Dawson, Zachary Gustafson, David Heimlicher DAS Frank Hoonhout, Steve Nelson DOC Alexandra Smith DOR Desi Villaescusa DHS Al Grapoli, Duane Smith ODOT Dennis Jorgenson, Randy Whitehouse State PM / Contracted PM Brian Sipe / Doug Freimarck

    4. CNIC Network Work Group Group chartered to define Network Detail Design for CNIC Group met weekly to discuss the design components and work through issues Topics discussed include: Data Center Local Area Network (LAN) Design Recommendations Core Network Design Recommendations Wide Area Network (WAN) Design Recommendations Remote Access Design Recommendations Network Management Design Recommendations (Tools) Network Infrastructure Services Design Recommendations Network Naming Convention Design Recommendations

    5. Data Center LAN Design Recommendations SDC Security Zones Isolate low, medium, and high trust zones w/ firewalls and physically separate the network equipment. Allow for additional, higher-security compartments within the High Trust Zone SDC Logical Layout Core Layer Routers – Cisco 7600’s Main Distribution Frames – Cisco 6500 Switches / Routers (Layers 2 & 3) Rack Layer Distribution – Cisco 6500 Switches Access Layer – Cisco 3750 Switches Cross Zoned Firewalls – Checkpoint, built on hardened O/S (Linux kernel) Production Environment – All Network Equipment deployed in “redundant” pairs

    6. Data Center LAN Design Recommendations (continued) SDC Physical Layout Core Routers – deployed in Telecom Room at fiber demarc Main Distribution Switches – at opposite ends of raised floor area Rack Distribution Switches – (redundant pairs) in center rack of each row Access Switches – (redundant pairs) in each server rack Connect Core Routers to Main Distribution Switches – via 1 GB under floor fiber Connect Main Distribution Switches to Rack Distribution Switches – via 10GB under floor fiber Connect Rack Distribution Switches to Access Switches – via 1GB overhead fiber Connect Access Switches to Servers – via in-rack copper or fiber at 100MB or 1GB

    7. Data Center Logical Network Design

    8. Data Center LAN Design Recommendations (continued) SDC IP Addressing Scheme Use private IP Addresses for all servers without a specific requirement for public IP addresses Use public IP Addresses ranges for servers in low trust zone that require public addresses and for NATTING on privately addressed servers that require access from outside the State Network SDC VLAN Design Create unique VLAN ranges for each Trust Zone and each environment within the Trust Zones Do not allocate VLAN numbers higher than 999 Allocate 10 VLANS for management, 390 for the low Trust Zone, 300 for the medium Trust Zone, 200 for the high Trust Zone, and 100 for higher-Trust compartments

    9. Core Network Design Recommendations Salem Metropolitan Area Network (MAN) Install fiber to close the MAN loop between C4 building & State Penitentiary Install fiber to add a dual-entry connection to the MAN loop for the SDC Extend the Qwest SHNS Ring to include the SDC Distributed Network Core Close the network core “loop” with a temporary 100MB connection between Eugene and Bend, until a more cost effective permanent 100MB connection can be negotiated Upgrade the core routers in Bend and Burns to Cisco 7600’s Utilize MPLS on the network core and distribution layers to isolate agency traffic Maintain existing agency routing protocols through initial move, and migrate to a single OSPF area design with BGP connections to external networks after the first 3 agencies are moved Create additional core network nodes in Medford and Pendleton

    10. Wide Area Network Design Recommendations Maintain - the current field office IP addressing schemes through the consolidation Transition - all field offices to the 10.x.x.x address space by the conclusion of the 2005-2007 biennium Utilize - VLAN numbers that provide “unique” identifiers for the various agencies at a field office Consolidate - WAN circuits at 28 sites across the State using MPLS-enabled routers to extend the MPLS network to the field office Over the course of the 2005-2007 biennium, migrate access circuits from frame relay to dedicated connectivity for sites that are local to the network core nodes (per the ongoing analysis by the DAS NOC)

    11. Remote Access Design Recommendations Dial-up Utilize the existing DAS points of presence to provide state-wide dial-up access, centralizing management of dialup at the SDC VPN Continue to support agency VPN platforms during migration period of SDC Standardize on Cisco products for individual client-based VPN, centralizing management and VPN termination pts. in the low trust zone of the SDC LAN Standardize on Whale Communications products for individual SSL-based VPN, centralizing management and VPN termination points in the low trust zone of the SDC LAN Standardize on Cisco products for site-to-site VPN, centralizing management and VPN termination pts. in the low trust zone of the SDC LAN Allow the CNIC Security Work Group to review and possibly modify the VPN recommendations during the detailed design stage Citrix Continue deploying Citrix technology where appropriate, centralizing servers and management of servers in the low trust zone of the SDC LAN

    12. Network Management Design Recommendations (Tools) Adopt HP Openview as the Enterprise Management Tool Adopt Cisco NatKit as the Cisco Device Management Tool, assuming that the Cisco advanced services contract will be continued at the SDC. [Otherwise, adopt CiscoWorks as the Cisco Device Management Tool] Adopt a joint solution with Cisco Network Analysis Module (NAM), Netscout Network Performance Manager and Concord e-Health as the Network Monitoring Tool Adopt WildPackets Etherpeek NX with iNetTools as the Protocol Analysis Tool Adopt Solarwinds as the Network Management Toolkit Adopt Cisco IP Solution Center as the MPLS Management Tool Adopt AirMagnet Analyzer and Surveyor as the Wireless LAN Management Tool

    13. Network Infrastructure Services Design Recommendations DNS Provide external DNS services for all agencies using BIND Provide secondary internal DNS services to all agencies, establishing a backup to the agency DNS services Provide primary internal DNS services as an optional service to those agencies that wish to take advantage of a centralized DNS service WINS Phase WINS out of the environment in favor of a more versatile DNS solution DHCP Provide centralized DHCP services to the internal SDC users and to agencies that want to take advantage of a centralized DHCP service Other Provide DNS, DHCP, and Directory Services using Microsoft product sets Revisit this product recommendation at the time of future directory services consolidation

    14. Network Naming Convention Design Recommendations Employ names that reflect location, device type, trust zone, and environment designator Use device type designators for switch (-s), router (-r), firewall (-f), wireless root device (-w), and wireless client device (-wc) Within the SDC MPOE and MDF, adopt the convention sdc-LLLL-XN, where: LLLL is either “MPOE” or “MDF” X is the device type N is a numerical designator to ensure uniqueness

    15. Network Naming Convention Design Recommendations (continued) Within the SDC main rack area, adopt the convention sdc-RK-XN-AA, where: R is the row number K is the rack letter X is the device type N is a numerical designator to ensure uniqueness A is an additional designator to indicate a trust zone other than low and an environment other than production At field office sites, adopt the convention CCC-STREETID-XN, where: CCC is a three-character city code STREETID is a variable length (maximum 8 characters) location code, which will typically reflect the street or address of the facility X is the device type designator, as defined above in the generic naming conventions N is a numerical designator to ensure uniqueness

    16. Timeline

    17. CNIC Network Work Group Questions? Comments? Piggy-backs? Editorials?

More Related