Revision: 1.6a Date: 12th March Network Equipment and Interconnectivity Guide

(1)

Network Equipment and

Interconnectivity Guide

Revision:

1.6a

(2)

Network Equipment Guide v1.6a ₂

Version Control

Ver Date Who Notes

1.1 14 December 2011 JRM Document created

1.4 17 January 2012 JRM Core/FM/Edge/Wifi specified 1.4 18 January 2012 JRM PNT amendments

1.4 18 January 2012 PNT PNT amendments

1.4 19 January 2012 JRM Fix testing and documentation 1.5 02 February 2012 RPS Added consultant’s comments 1.6 06 February 2012 PNT Minor amendments and additions 1.6a 12 March 2012 PNT Minor amendments

(4)

Network Equipment Guide v1.6a ₄

1 Networking Equipment Guide – Outline

1.1 Purpose of this document

This document forms the basis of the requirements specification to be used in all new projects where any aspects of IT networking are involved, including, but not limited to, provision of wiring centres, ducts, inter- and intra-building connectivity, active and passive equipment, security, authentication, and data-related services.

Within this document, the term Specification refers to the most recent version of the University of York IT Services Network Infrastructure Specification, which form a part of this requirement.

The basic principle is that sufficient provision will be made for a secure, pervasive, highly resilient and easily managed data network, capable of meeting all of the University’s requirements for a “converged” network system. This network system is required to carry CCTV, Access Control, Building and Energy Management (BEMS) , IP Telephony (IPT, VoIP), and Electronic Point of Sale (EPoS) traffic in a secure and reliable fashion and in accordance with any statutory or industry requirements, separately from student traffic, and separately from research and administrative traffic. At present, this is achieved using separate OSPF routing meshes for the networks.

To this end, it is a requirement of any network infrastructure designed or installed for the University, whether including active components or not, that it be capable of management and monitoring in detail by the University of York IT Services / Information Directorate Network Group. In recent years the Network Group has made a large investment in developing management and monitoring systems, and any network provision must be fully compatible with these requirements.

One of the essential features of the University network is the combination of the “one port fits all” concept in conjunction with flood patching. This allows the deployment and movement of many types of network-attached device with minimal intervention, dramatically reducing the resource required to deal with moves, adds, and changes.

At the time of writing the University network has approximately 900 Ethernet switches of various ages, providing approximately 30,000 edge ports in over 200 wiring centres. As wiring centres have, on average, one switch that can only be half-utilised (due to the inevitable difference in numbers between installed data outlets and available ports on a switch), one would expect at least 4800 ports to be unused. In fact there are over 25,000 devices registered for use on the network, some of which have multiple interfaces, so it can be seen that there is only a small overprovision. The initial capital cost of flood patching is quickly offset by the reduction in the technical staff costs that would otherwise be required. Any network solution must therefore adopt the same flood-patched universal “one port fits all” regime.

It is recommended that this document be read in conjunction with the latest version of the IT Services Network Infrastructure Specification, copies of which are available on request.

(5)

Network Equipment Guide v1.6a ₅

2 Network Infrastructure requirement for new builds

2.1 Ducting and Fibre

All new builds including Heslington East New Goodricke and Heslington East Cluster I have multiple ducting and fibre routes into every building allowing us to build a resilient Network architecture. Designed into each major build area e.g. Cluster I or Cluster II are at least two networking “distribution” points – typically part of a Data Centre, PABX telephone room or built onto an electrical substation. These distribution points will be the focal point for ducting and fibres within each area with onward connectivity to other areas e.g. in Cluster I, S2 PBX connects to the northern Heslington East combined utilities corridor, TFTA connects to the southern Heslington East combined utilities corridor, and these two locations connect eastwards to substations LTA/SUB and LBR/SUB.

The Combined Utilities Corridor (CUC) uses Emtelle’s heavy duty 14/10mm microducts (Product code 8506) tie-wrapped in a 7 way bundle as specified in the IT Services Network Infrastructure Specification, Appendix 4. Each microduct in the bundle has a different colour.

2.1.1 Example Fibre Interconnects – Cluster I

Illustrated here are all the major wiring centres for the Heslington East Cluster I buildings as well as Cluster I distribution points TFTA (Data Centre) and S2 PABX (GNU/SUB Telephone Exchange). Inter-building links on Cluster 1 will typically use the 7 way variant of Emtelle’s Direct Install product (Product code 6438) which uses 5/3.5mm microducts.

Figure 1: Example of blown-fibre interconnection

48 Core SM L/PBX-> Hes East S2PBX 48 Core SM L/PBX-> Hes East S2PBX

Legend

12 core OS1 12 core OM3 48 core OS1

TFTV Computer Science The Hub

Law & Management

Catalyst Building S2 PABX TFTA WC1 (G79) WC2 (G67) CT09 WC2 (064C) WC1 (025) WC4 (271F) WC3 (227) WC1 (012A) WC2 (125) WC1 (004) WC2 (048) WC3 (139A)

XSAN Server Room

25 June

30 June Ready for service date

48 Core SM L/PBX-> Hes East TFTA

<<<< L/PBX

<<<< ATB

48 Core SM ATB -> S2PBX 48 Core SM ATB -> Hes East S2PBX

(6)

2.2 Network Topology

Any active network and ancillary equipment, including but not limited to Ethernet switches, routers, media converters, storage devices, firewalls and wireless equipment, shall be of a type approved by IT Services / Information Directorate as these devices must integrate with existing infrastructure. Ethernet routing devices, Ethernet switches, WAPs, firewalls, etc must be capable of management from a command line accessible by serial port, SSH and by the SNMP protocol, and must not rely on menu-driven or web-based methods. To avoid

congestion, the industry-standard general principle that all feed ports shall be of several times (normally ten times) the capacity of the ports they feed shall be adhered to.

IP addresses, both “public” (owned by or allocated to the University of York or its partner organisations) and “private” (RFC 1918 and RFC 3330/5735) and VLAN IDs must be

allocated by the IT Services / Information Directorate Network Group. Other IP addresses, ie any not controlled by IT Services / Information Directorate and not part of an allocated “private” range, are not permitted. Use of NAT (network address translation) is not permitted. All devices connected to the network must be registered in the Information Directorate LAN database before commissioning them on the network.

Contractors must request the registration of devices and allocation of IP addresses via a web form. The application form and explanatory notes are accessible at the “Information for Contractors” webpage at http://www.york.ac.uk/it-services/info/contractors/ The form requires a username and password, which is allocated on a one-per-company basis, and there is a link on the explanatory notes web page which may be used to request this.

The developer will allow for the University of York IT Services / Information Directorate to design the network architecture and to prepare suitable kits lists, fibre connectivity diagrams, rack layouts for provision as part of their contract. The IT Services department will also provide configuration files for approved devices ready for procurement from and installation by University preferred data equipment vendors with the final commissioning and

connection to the campus Network by University of York IT Services staff. To be able to do this IT Services require data outlet port counts along with drawn up diagrams showing positions of data outlets – particularly showing the location of Wireless Access Points, Access Control, EPoS and BEMS devices.

Where rack space to house third-party equipment is required in IT Services data racks the space allocation will be carried out and documented by the University of York IT Services.

2.2.1 Edge Network

Any new developments edge network must utilise the latest type of the following device/devices.

The edge network is based around the HP Procurve 2620 range (or its successor) of 48 port 10/100 Power Over Ethernet (PoE) switches for most applications and the HP Procurve 2910 range (or its successor) of 48 port 10/100/1000 PoE switches where higher performance is required e.g. specialist labs. All wiring centre outlets should be flood patched whether required or not. The switches will be configured to support the Universities “One Port Fits All” architecture allowing simple, safe and seamless connection of devices, whether that be a door lock, till or a high performance user device.

(7)

Network Equipment Guide v1.6a ₇

o Ethernet switches, including routing devices, must support, as a minimum, the following features and protocols:

 At least 48 x autosensing 10/100Mb/s RJ45 ports (this restriction may be relaxed for devices serving a purely Layer 3 routing function and equipped with more than 24 optical ports)  RS232-compatible serial console port

 802.1p Class of Service and traffic prioritisation with at least 4 queues

 802.1Q VLANs, at least 64 per device  multiple subnets

 CIDR  LLDP  LLDP-MED  Voice VLANs

 802.3af PoE or 802.3at PoE+  pre-standard PoE support  configurable Auto-MDIX

 At least two Gigabit optical ports using SX and LX SFP transceivers

 RADIUS authentication and accounting

 Multilink trunking (supporting both LACP and manual configuration)

 IGMP snooping

 802.1X authentication, with multiple 802.1X users per port  MAC address-based port authentication to RADIUS  Multiple authentication methods per port

 VLAN allocation per port by RADIUS  MAC address limiting

 MAC address lockout  Source-port filtering

 Configurable logging using SYSLOG  SNTP

 SNMP v3  RMON  SFLOW

 Availability of all relevant standard and proprietary MIBs  Port monitoring, including remote port monitoring  Port mirroring

 DHCP snooping with DHCP protection  Broadcast limiting

 rate limiting

 802.1s multiple (per-VLAN) Spanning Tree Protocol

 software/firmware updates available for a minimum of 5 years  command line interface

 SSHv2

 TFTP file transfer

 Secure FTP (SFTP) file transfer

 Dual flash images for firmware and configuration files  Flexible mounting options including standard 19” rack

mounting

o Switches supporting Gigabit RJ45 ports must additionally support:  At least 24 x autosensing 10/100/1000Mb/s RJ45 ports



At least two (and normally four) 10G optical ports using SR and LR SFP+ transceivers

(8)

Network Equipment Guide v1.6a ₈

2.2.2 The Core Data Network

Any new developments Core data network must utilise the latest type of the following device/devices.

The core/distribution data network will be configured as an OSPF mesh based around the HP Procurve 5400zl range (or its successor) of modular switch routers housed within Data Centres, Substations or major wiring centres with multiple 10Gbit/s diversely routed uplinks.

o Ethernet routing devices must support, in addition to all of the above, the following:

 IPv4 Layer 3 routing  IPv6 Layer 3 routing

 RIP, RIP2 and OSPF3 routing protocols  static routes

 multinetting

 per-VLAN DHCP forwarding to multiple destinations  flow control

 ACLs (access control lists)  IP address lockout

 VRRP (Virtual Router Redundancy Protocol)  IGMP

 MLD (Multicast Listener Discovery)  PIM sparse and dense modes

 At least four optical ports using SR and LR SFP+ transceivers o In certain locations, Ethernet routing devices must also support:

 MPLS

2.2.3 Core FM Network

Any new developments Core FM network must utilise the latest type of the following device/devices.

The FM network is also based around the HP Procurve 5400zl (or its successor) range of modular switch routers housed within distribution centres (substations/PABX etc). These separately feed into edge switches giving out-of-band, resilient and compliant Facilities Management networking to support an ever increasing list of FM devices (IP Telephony, CCTV, Access Control, EPoS, eSuds, Alarm panels, BEMS, ...). There are also separate fibre feeds from each relevant substation to support car park barriers & associated devices.

2.2.4 Wireless

All buildings should have an internal data infrastructure to support pervasive internal wireless coverage and additional outlets and ducting to facilitate external Wireless Access Points where appropriate. Currently the Wireless architecture used by the University is by Aruba and supports B, G & N dual-band high density technologies. Any wireless solution must be a centrally managed dual-band thin client wireless solution that does not require VLANs to be presented from the network core directly to individual Wireless Access Points.

o Wireless coverage shall be provided in all communal areas, seminar rooms, lecture theatres, and all study bedrooms.

(9)

Network Equipment Guide v1.6a ₉

o Additional provision for wireless coverage shall be made for all office and research areas.

o Provision shall be made for future coverage of outdoor spaces.

o Wireless bandwidth shall be provided using the 2.4GHz band to support 802.11g and 802.11n, and also in the 5GHz band to support 802.11n. o All wireless connectivity shall be secured by WPA2-Enterprise.

o All wireless access point configuration and management shall be carried out on central controllers.

o All wireless traffic shall be carried on Network Access Service VLANs and subnets local to the access point.

o It shall not be necessary to carry specific VLANs or subnets from the network core to outlying wireless access points; APs shall use local addresses, subnets, and VLANs to communicate with central controllers. o Wireless APs and their controllers must be capable of management and

monitoring by SNMP.

o Wireless controllers (and APs if not “thin” APs) must be capable of management by automatically or semi-automatically run scripts without the use of proprietary software.

o Wireless controllers (and APs if not “thin” APs) must be capable of management from a command line accessible by serial port and by the SSHv2 protocol, and must not rely on menu-driven or web-based methods.

(10)

Network Equipment Guide v1.6a ₁₀

2.3 Testing and Documentation

No part of the network cabling or fibre-optic infrastructure shall be deemed complete or fit for purpose until standards-based test results in the appropriate format are received by IT Services / Information Directorate Network Group.

No powered device shall be deemed ready for use until it is issued with a PAT certificate provided to the University or has a readily-visible sticker showing the date of testing, renewal date, and the initials or signature of the tester.

No active device or network segment installed by other than IT Services shall be deemed ready for use until it is capable of being monitored using SNMP by the IT Services / Information Directorate network monitoring system.

(11)

LACP e 3 gnurs0(ospf.201) 144.32.200.6 g d ia 1 sw 1 g d ia 1 sw 0 g d ia 1 sw 3 g d ia 1 sw 2 g d ia 2 sw 1 g d ia 2 sw 0 g d ia 2 sw 3 g d ia 2 sw 2 g d ia 2 sw 5 g d ia 2 sw 4 g d ib 1 sw 1 g d ib 1 sw 0 g b aa 1 sw 1 g b aa 1 sw 0 g d ia 1 sw 3 g b aa 1 sw 2 g sh cs w 1 g sh cs w 0 g sh b sw 1 g sh b sw 0 g n u sw 1 g n u sw 0 g b aa 1 sw 5 g b aa 1 sw 4 g b aa 1 sw 7 g b aa 1 sw 6 g b aa 2 sw 1 g b aa 2 sw 0 g d ia 2 sw 3 g b aa 2 sw 2 g b aa 2 sw 4 g sh a1 sw 1 g sh a1 sw 0 g sh a1 sw 3 g sh a1 sw 2 g sh a2 sw 1 g sh a2 sw 0 g sh a2 sw 2 e 1 _e5 _e2 _e4 _e6 _e7 _a1 e 1 1 e 1 2 e 1 0 e 8 gnufr0 144.32.187.161/28 a1 c1 c2 c3 c4 d1 b1 b2 d2 d3 e 9 a16 d4 f3 f2 hepbxrs0(ospf.200) 144.32.200.1 f2 f1 hepbxfr1 144.32.187.193/28 a1 a2 b17 b22 a2 a1 fm o s p f 2 3 1 3 b19 b20 b21 HUB (218) rch2rs0(ospf.219) 10.4.218.2 rch1rs0(ospf.218) R 10.4.218.1 c1 d2 d1 d3 d1 c2 d3 b24 b22 b24 o s p f 2 0 9 4 o s p f 2 2 0 3 ospf 2208 2211 2212 HEPBX GNU (200) (5,6) (7,8) (1) (24) (1) (18?)(12) (8) rc h 1 sw 0 rc h 1 sw 1 rc h 1 sw 2 rc h 1 sw 3 rc h 1 sw 4 rc h 1 sw 5 rc h 1 sw 6 rc h 1 sw 7 rc h 1 sw 8 rc h 1 sw 9 rc h 1 sw 1 0 rc h 1 sw 1 1 rc h 1 sw 1 2 rc h 1 sw 1 3 rc h 1 sw 1 4 rc h 1 sw 1 5 rc h 1 sw 1 6 rc h 1 sw 1 7 rc h 1 sw 1 8 b 1 7 -1 8 b 1 5 -1 6 b 1 3 -1 4 b 1 1 -1 2 b 9 -1 0 a 1 3 -1 4 a 1 1 -1 2 a 9 -1 0 a 7 -8 a 5 -6 a 3 -4 a 1 -2 b 7 -8 b 5 -6 b 3 -4 a 1 5 -1 6 a 1 7 -1 8 a 1 9 -2 0 a 2 1 -2 2 rc h 2 sw 0 rc h 2 sw 1 rc h 2 sw 2 rc h 2 sw 3 rc h 2 sw 4 rc h 2 sw 5 rc h 2 sw 6 rc h 2 sw 7 rc h 2 sw 8 rc h 2 sw 9 rc h 2 sw 1 0 rc h 2 sw 1 1 rc h 2 sw 1 2 b 1 1 -1 2 b 9 -1 0 b 7 -8 b 1 3 -1 4 b 1 5 -1 6 b 1 7 -1 8 a 4 -5 a3-4 a 1 -2 b 5 -6 b3-4 a 7 -8 a 9 -1 0 (7) (6) (1) (13) (24) h ep b x sw 0 h ep b x sw 1 b21 (4) (6) (16) (5) 2 2 0 0 (16) (18) (6) (1) siemens siemens b23,24 Trk1 a9,10:Trk2 IPT ICC pbxfr0-Trk1 (9) tftv priv? Typical Residential Architecture Typical University Non-residential Architecture Typical Distribution architecture CORE CORE CORE CORE FM FM KEY

Core Layer 3 router FM Layer 3 router Office Edge Switch

Residential Edge Switch 1 Gb Residential Network 10Gb Core Network 1 Gb FM Network 1 Gb Office Network

(12)