10.30.061 network planning task force network strategy discussions
Post on 21-Dec-2015
224 views
TRANSCRIPT
10.30.06 1
Network Planning Task Force
Network Strategy Discussions
2
NPTF FY ’07 Members■ Mary Alice Annecharico/Rod MacNeil,
SOM■ Robin Beck, ISC■ Dave Carrol, Business Services■ Cathy DiBonaventura, School of Design■ Geoff Filinuk, ISC■ John Keane/ Grover McKenzie, Library■ Marilyn Jost, ISC■ Deke Kassabian /Melissa Muth, ISC■ Manuel Pena, Housing and Conference
Services■ Mike Weaver, Budget Mgmt. Analysis■ Dominic Pasqualino, OAC■ James Kaylor, CCEB■ Helen Anderson, SEAS
■ Kayann McDonnell, Law■ Donna Milici, Nursing■ Dave Millar, ISC■ Michael Palladino, ISC (Chair)■ Jeff Fahnoe, Dental■ Mary Spada, VPUL■ Marilyn Spicer, College Houses■ Joseph Shannon, Div. of Finance■ Ira Winston, SEAS, SAS, Design■ Mark Aseltine/ Mike Lazenka, ISC■ Ken McCardle, Vet School■ Brian Doherty, SAS■ Richard Cardona, Annenberg■ Deirdre Woods/Bob Zarazowski,
Wharton■ John Irwin, GSE
3
Meeting Schedule – FY ‘07
■ Meetings 1:30-3:00pm, 3401 Walnut Street■ Fall Meetings / Process
■ Intake and Current Status Review – August 21■ Agenda Setting & Focus Group Planning – September 18■ Focus Group – October 04■ Security Strategy Discussions – October 16 ■ Focus Group – October 17■ Network Strategy Discussions – October 30 ■ Network & Security Strategy Discussions – November 6 ■ Focus Group Feedback – November 20■ Final Meeting-Prioritization /Rate Setting – December 04
4
Today’s Agenda
■ PennNet Building Uplinks (Gigabit connectivity)■ Network Access Control■ PennNet Gateway (Scan & Block)■ VoIP■ Wireless
5
PennNet Building Uplinks: Gigabit &
redundant connectivity
6
Gig Connectivity & Building Redundancy■ Goals
■ Gig enabled closet electronics■ Gig to every building■ Redundant Gig connectivity
■ Current Status■ 41 buildings with Gig Ethernet/55 in total in FY ‘07■ Evaluating new closet electronics/deploying in January 2007■ Approximately 50% of switches 10/100/1000 enabled■ By the end of FY ’08, most switches will be 10/100/1000Mbps
7
Strategic Approach: Next Generation PennNet (NGP)■ Diversify the PennNet Routing Core
■ Move out of College Hall (Largest Single Point of Failure)■ Construct 5 Network Aggregation Points (NAPs)■ Redundant High Speed Connectivity between NAP locations
■ Highly Available Core Network Infrastructure■ Relocate Campus Building Uplinks to Local NAP■ Provide High Speed Uplinks to Buildings (where infrastructure can
support this now, single-mode fiber/conduit build outs sometimes necessary)
■ Provide Redundancy Uplinks to Campus Buildings■ Five Connectivity Models■ Based on Building Criticality (University Business) ■ Number of User Connections■ Infrastructure Availability
8
Diversify PennNet Routing Core■ Four NAP locations Completed.
■ NAP locations have redundant and diverse 10 gig feeds.■ NAPs connect local buildings that have fiber and pathway.■ Some buildings have gigabit Ethernet service
■ Western NAP (Levy) Construction Complete by 12/2006■ Relocating one core router from College Hall to Levy NAP■ Begin connecting some buildings in 01/2007
■ College Hall node room will house a core router for next two to three years (until all NAP to building feeds are in place)■ Will reduce catastrophic disaster recovery time from 2 weeks to
under 2 hours.■ Will provide infrastructure foundation for next generation data,
voice and video services.
9
Next Generation PennNet – Current Status/Plan
NAP5WESTERN TIER
LEVY
NAP3SOUTHERN TIER
MOD5
NAP1EASTERN TIER
VAGELOS
NAP4NORTHERN TIERSANSOM EAST
NAP2CENTRAL TIER
HUNTSMANNAP-CH
COLLEGE HALL NODE ROOM
WAL (G)
10
Building Connectivity Models 1 & 2(Dual Feeds to separate NAPs, each with either diverse or overlapping pathways)
11
Building Connectivity Model 3(Each Building has 1 uplink to a separate NAP and one link to each other.)
12
Building Connectivity Model 4(Building has 1 uplink to each Building Entrance Router in the local area.)
13
Building Connectivity Model 5(Building has 1 uplink to a Building Entrance Router.)
14
Building Connectivity Model 5a(Building has 1 uplink to a Building Entrance Router with dual feeds.)
15
Gig Connected Buildings (Single Feed)Building
CodeDescription Building
Classification (Model)
Primary NAP (Uplink)
Secondary NAP (Uplink)
Comments
BNH Bennett Hall 2 Vag - Gig None Optimal 2nd link to ModV
DUB Dubois 2 HNT – Gig Optimal 2nd link to Levy
GEB Graduate Education 2 HNT - Gig None Optimal 2nd link to NIC
HIL Hill House 2 Vag - Gig None Optimal 2nd link to Levy
HOU Houston Hall 3 CHNR – Gig None Optimal 2nd link to Vagelos
ICA Institute of Cont. Art 4 GRT - gig None Primary link goes through SPE router
IST Vagelos 2 Vag – Gig None Optimal link to HNT
KIN/ENG Kings Court/English 2 NIC - Gig None Optimal 2nd link to Levy
LFR Lauder Fischer 3 SDH Router - Gig None Optimal link to HNT or Vance Router
MCA McNeil Center for Early American 3355 N 34st
3 Vag - Gig None Optimal 2nd link to HIL
MEY Meyerson Hall 2 Vag - Gig None Optimal 2nd link to HNT
MSC Music Building 4 Vag - Gig None Optimal 2nd link to Mey
SPE Sansom Place East 2 NIC - Gig None Optimal 2nd link to Levy
OVH Old Vet Hosp 4 Vet Hospital Router - Gig
None BE Device not a Routing Device
Quad Quad Complex 3 HNT - Gig None Optimal 1st link ModV, 2nd link to Levy
ROS Rosenthal 4 Vet Hospital Router - Gig
None BE Device not a Routing Device
SPW Sansom Place West 2 NIC - Gig None Optimal 2nd link to Levy
WTM Weightman Hall 4 Vag - Gig None Optimal 2nd link to ModV
16
Gig Connected Buildings (Dual Feed)Building
CodeDescription Building
Classification (Model)
Primary NAP (Uplink)
Secondary NAP (Uplink)
Comments
BRB Bio-Medical Research Building #1 2 Modv - Gig HNT - Gig Optimal 2nd link to Levy
BRC Bio-Medical Research Building #2 2 Modv - Gig HNT - Gig Optimal 2nd link to Levy
CHM Chemistry Labs 2 Vag - Gig Modv - Gig
COL College Hall 1 Vag - Gig Modv - Gig Optimal 2nd link to HNT
CRB Clinical Research Building 2 Modv - Gig HNT - Gig Optimal 2nd link to Levy
FKB/FBA Franklin Building/ Annex 1 NIC - Gig Vag - Gig
GYM Gimbel Gym 2 NIC - Gig HNT - Gig
HNT Huntsman Hall 3 HNT - Gig Vance - Gig 2nd link goes thru Vance router
JSN Johnson Pavilion (Med School) 2 ModV - Gig HNT - Gig Optimal 2nd link to Levy
MKT 3440 Market St 3 NIC - Gig Vag - Gig
NEB Nursing Education Building 2 ModV - Gig HNT - Gig Optimal 2nd link to Levy
SCC Steinberg Conference Center 3 Huntsman Router - Gig
Vance - Gig Both uplinks go through Wharton Routers
SDH Steinberg Hall-Dietrich Hall 3 Huntsman Router - Gig
Vance - Gig Both uplinks go through Wharton Routers
VAN Vance Hall 3 ModV - Gig Huntsman Rtr – Gig
Optimal 2nd link to HNT
VPL Van Pelt Library 1 Vag - Gig Huntsman Rtr - Gig
VRB Veterinary Medicine Teaching & Research Building
3 ModV - Gig Vet Hospital Rtr – Gig
modv2.router Gi 3/13 vhp1.router Gi 3/2
WAL 3401 Walnut St. 1 NIC - Gig Vag - Gig Diverse Feeds/Pathway
17
Dual Connected Buildings (100/Gig)
Building Code
Description Building Classification
(Model)
Primary NAP (Uplink)
Secondary NAP (Uplink)
Comments
BLK Blockley Hall 2 ModV - Gig CHNR 100mbps Optimal 2nd link to Levy
BRC Bio-Medical Research Building #2
2 Modv - Gig CHNR 100mbps Optimal 2nd link to Levy
FUR Furness Building 2 Vag - Gig CHNR 100mbps Optimal 2nd link to HNT
GRW Graduate Research Wing (Moore School)
2 Vag - Gig CHNR 100mbps Optimal 2nd link to ModV
VHP Vet Hospital 3 VRB Router - Gig
CHNR 100mbps Optimal 2nd link to Levy
WMS Williams Hall 2 Vag - Gig CHNR 100mbps Optimal 2nd link to HNT
18
Network Access Control ■ Goal
■ Campus-wide, uniform network access control for wireless and wired network connections
■ Current Status:■ New switch hardware and new software on existing switches
should allow 802.1X rollout for wired ports by Summer 2007■ College House and Sansom Place wireless already using
802.1X network login■ Rest of wireless APs using web intercept (captive portal)
■ Discussion Points■ Should we move to enable AirPennNet (802.1X) on all current
wireless-pennnet APs? If so, on what time frame?■ Can we eventually transition to all 802.1X, removing the need
to maintain dedicated web intercept hardware? When?
19
Scan and Block■ Goal
■ Full campus wide S&B at all user locations (servers and printers probably out of scope)
■ Preventing access by compromised or highly vulnerable computers should lower the total cost of ownership for IT delivery.
■ Advantages■ PennNet Gateway will significantly reduce lost productivity by students
and staff, and protect the operational integrity of Penn’s network in the following ways.■ Unmanaged workstations will be protected from each other, so internal
security threats are contained and therefore lost user productivity reduced.■ IT staff in the schools and centers no longer will need to manually examine
laptops prior to their connecting to the network.■ Penn networks will be less vulnerable to performance problems caused by
compromised workstations.■ Users will be able to help themselves secure their own workstations,
thereby avoiding compromise and the attendant loss of data and productivity.
20
Scan and Block (continued)
■ Challenges■ Some common desktop and laptop computing environments
are built on the assumption that the network is immediately available for startup scripts, filesystem mounts, domain policy enforcement, etc
■ Best functionality when users install optional agent software, but that carries it’s own set of challenges (cooperation, distribution, updates)
■ Scan and Block is still young technology■ Even when S&B technology is working perfectly, ISC and
campus IT partners need to find the right balance in scanning for vulnerabilities versus quick login
21
PennNet Gateway (a Scan & Block implementation) ■ Strategy
■ Build on network authentication, adding vulnerability scanning■ Scale up pilot deployments now ■ Large-scale, production deployment: Fall 2007 ■ Cover public wireless areas ■ Provide in schools, centers and residential areas upon request
■ Current Status ■ ISC internal pilot: 27 users since April ■ Medicine, Nursing and Vet have expressed interest ■ Web interface needs Penn branding; December ETA ■ Pilot plans to be discussed with College House Computing ■ N&T, TSS & Info Security formalizing process issues (updating, testing,
communications and rollout for new scans) ■ Next Steps
■ Expand pilot to interested schools and centers ■ After web interface branded, make available for residential pilots
■ Discussion Points■ Should we eventually implement Scan & Block on all wired and wireless ports?■ Costs for full implementation TBD. Scan & Block early adopters are funded by
Central Service Fee