Adtopia_Network_Design

AdTopia Network Design TABLE OF CONTENTS I. TABLE OF CONTENTS ............................................................................................................... i II. CUSTOMER PROFILE ................................................................................................................ 1 III. OBJECTIVES................................................................................................................................ 2 1) A reliable network to interconnect Branch Offices and Headquarters............................... 2 2) The ability to collaborate via emails, calendars, and shared files....................................... 2 3) Access to advertising campaign previews for clients......................................................... 2 4) Access to network services from wireless devices............................................................. 3 5) Remote access to desktops for employees.......................................................................... 3 6) Security to protect resources from attack............................................................................ 3 7) A disaster recovery plan...................................................................................................... 4 8) Voice and Video Capabilities............................................................................................. 4 IV. IMPLEMENTATION ABSTRACT.............................................................................................. 5 Data Network Topology ............................................................................................................. 5 WAN Topology ...................................................................................................................... 5 Headquarter LAN Topology................................................................................................... 6 Branch Office LAN Topologies.............................................................................................. 8 Voice and Video ......................................................................................................................... 9 Network Changes for Telephony............................................................................................ 9 Call Processing...................................................................................................................... 11 Voice Mail ............................................................................................................................ 13 IP Phones .............................................................................................................................. 13 Reliability.............................................................................................................................. 15 Server Equipment ..................................................................................................................... 15 Server Software..................................................................................................................... 15 Server Hardware ................................................................................................................... 19 Disaster Recovery..................................................................................................................... 21 Addressing and Routing............................................................................................................ 22 Implementation Plan................................................................................................................. 25 1) WAN and Cabling Infrastructure.................................................................................. 25 2) LAN Equipment Installation......................................................................................... 26 3) Server Implementation.................................................................................................. 27 Further Information............................................................................................................... 27 Support & Maintenance Costs.................................................................................................. 28 V. LONG AND SHORT TERM GOALS........................................................................................ 29 Short Term................................................................................................................................ 29 Long Term ................................................................................................................................ 29 VI. SUMMARY................................................................................................................................. 31 VII. GLOSSARY OF TERMS............................................................................................................ 32*Asterisks indicate words that are further explained in the glossary located at the end of the document 1 CUSTOMER PROFILE AdTopia Advertising Agency is a medium-sized company with approximately 600 employees. These 600 employees are split between two branch offices and a corporate headquarters. While there are no concrete plans, additional branch offices in other cities will likely be established as the agency grows. Thus, the design must be scalable enough to meet the needs of an expanding company, as well as flexible. Because of the nature of the advertising industry, confidential data about customers and ad campaigns may need to be stored and accessed. Having a situation where information about an advertising campaign is revealed before the campaign begins, could be disastrous to both the client and AdTopia’s reputation. A disclosure such as that would give the client’s competition an opportunity to limit the campaign’s effectiveness. Because of this, information assurance* is essential to AdTopia’s networks. However, security practices must not inhibit the company from communicating and collaborating with their customers. Lastly, AdTopia is interested in the convergence of voice and data technologies. Like many organizations today, AdTopia would like to simplify maintenance and lower costs by using VoIP* technologies that enable them to send telephone calls over the same IP network that their data travels over.2 OBJECTIVES Based on the documentation that we have received from the AdTopia Advertising Agency, we have identified eight major objectives that our network design is based off of. Those objectives are as follows: 1) A reliable network to interconnect Branch Offices and Headquarters Our design connects the two branch offices with the corporate headquarters via a private Frame Relay WAN* . Additionally, optional backup Internet links at each of the branch offices offer redundancy in case of the failure of a Frame Relay link. While we recommend having the backup lines, we understand that cost is an issue as well. 2) The ability to collaborate via emails, calendars, and shared files AdTopia employees will be able to send emails to other employees at their office, employees at other branch offices, as well as external customers. Their calendars will be shared to ease in the planning of meetings. Both email and calendaring will be handled by Microsoft Exchange Server 2003* . Files will be stored on network attached storage (NAS) * devices that are located at the different branch offices. Files will be synchronized between the storage devices by using DFS* . This saves bandwidth* , but still allows all employees access to files regardless of their location. 3) Access to advertising campaign previews for clients Clients will be able to view their campaigns before they go live by means of Cisco VPN* . This will allow them to access an internal web server which will 3 host the previews. The VPN, as well as access control lists, will keep the advertising previews secure and confidential until they are ready to be unveiled. 4) Access to network services from wireless devices Wireless networks are included at each office location in this plan. Depending on AdTopia’s needs, they can be expanded easily by adding more access points. That will enable employees to use any WiFi* compatible devices at those locations. Of course, 802.1x authentication* will be required to prevent unauthorized access to corporate resources. This will also allow each connection to be associated with an individual employee. Furthermore, employees can view their emails, calendar, contacts, and tasks from mobile phones equipped with a web browser. They can do this via Outlook Mobile Access* , which ties in with Microsoft Exchange. 5) Remote access to desktops for employees The aforementioned VPN will also facilitate employees that want to remotely access their business desktops from home. Client software can be installed on their personal computers that will connect them to the VPN server. Once they have authenticated for the VPN, they can be permitted access to the internal network so that they can run Remote Desktop* to access their work desktop. 6) Security to protect resources from attack As the threats to the security of a corporation’s network and resources grow in number and in severity, security is a crucial component of any network-related project. A Cisco firewall* will be used to protect the company’s resources from 4 unauthorized access. It will also serve as the VPN access server, and is capable of doing content filtering* and antivirus scanning. Authentication will be required to access the network either through a wireless connection or through a wired port in the wall. We will use the security features of our switches to provide additional security for the VLAN’s* that carry voice traffic, by limiting access to those VLAN’s* from outside the VLAN. This is important because of the sensitive nature of many phone calls. 7) A disaster recovery plan Regardless of how well-designed a network is, having a solid disaster recovery plan is imperative. Each location has a server dedicated to doing backups. Attached to these servers are tape autoloaders* . The tape magazines are rotated offsite for several months for disaster recovery purposes. 8) Voice and Video Capabilities To make it easier for AdTopia’s employees to communicate with other employees, our network design includes IP telephony equipment. Employees can call other employees, regardless of whether they are located in the same office. Additionally, voice mail is provided for all employees, and even offers web access. Because of the critical nature of phone systems, additional reliability and redundancy has been added to the network to support these voice and video capabilities.5 IMPLEMENTATION ABSTRACT This section will describe the technical aspects of our design. It is split into sections, each of which covers one piece of the design. Data Network Topology WAN Topology Each of AdTopia’s three locations will be connected to a Frame Relay WAN by leased line connections. The corporate headquarters will have either a full T3* connection (45 Mbps), or a fractional T3 connection. Each branch office can have either a fractional T3 connections (20 Mbps), or four T1* connections (6 Mbps). While the T3 connections will provide faster performance, the T1 lines could be acceptable for most circumstances, depending on how heavily AdTopia’s employees would be using it. Additionally, the New York headquarters has a T3 connection to the Internet. Each branch office can have a T1 connection to the Internet to serve as a backup if any of the other connections has extended downtime1 . There are several reasons why we used frame relay instead of leased lines directly connecting the locations. Frame relay makes it easier to add more sites, because only the new location requires a new connection. In a hub and spoke leased line configuration, a line from the new “spoke” to the “hub” would be needed. This means that the hub location, most likely the headquarters, would need to handle a large number of individual lines from each of the spokes. So, frame relay is more scalable than leased lines in a hub and spoke configuration. The second major reason that we chose frame relay is because it is typically less expensive than leased lines. This is because with frame relay there are two different types of bandwidth. First, there is the 1 The WAN topology diagram is attached to the end of this report.6 capacity of the frame relay connection that we have. This is the maximum amount of bandwidth that can be used at any one time. Also, frame relay has what is known as a CIR* or committed information rate. The CIR is the amount of bandwidth that the frame relay customer “owns.” In other words, the CIR is the bandwidth that you can always use. The Internet connection will allow AdTopia to communicate with current and potential customers via their website, emails, and instant messages. Employees will have the ability to connect to the internal AdTopia network remotely, so that they can access their computer at work while they are at home, or send an email when they are visiting one of AdTopia’s customers. Additional branch offices could be added to the topology. The new branch office(s) would need a connection to the Frame Relay WAN. A direct connection to the Internet would not be necessary, though it could be added. Headquarter LAN Topology The New York headquarter is capable of hosting upwards of 300 users, giving AdTopia the ability to expand their human resources there by 20% before having to purchase new network hardware. The headquarters is the location of the primary Internet connection. The T3 line that connects the New York headquarters to the Internet is connected to a Cisco 3825 router. In our lower end package, this router would also serve as the company’s firewall. In our more expensive (yet more reliable, scalable, and secure) design, we have a separate firewall. This is necessary because the firewall device cannot be directly connected to the T3 Internet connection. The Cisco security device permits access to Internet facing servers, protects the internal network from attack, and enables secure VPN access to the internal network. In both designs, the Internet facing servers are located in a DMZ* , which makes them accessible from the Internet, while not endangering the internal network. 7 For our recommended proposal, the main router at the headquarters is a Cisco 7206. This would be connected directly to the Frame Relay WAN, to the firewall, and to the Cisco 6506 switch(es). In our lower end proposal, we have included a Cisco 3845 router. The Cisco 3845 router does not offer the same performance or expandability as the 7206 in terms of types of interfaces it can handle. It would be connected to a single 6506 switch and to the 3845 router that connects AdTopia to the Internet2 . The 6506 switch(es) aggregate the links from all of the access layer* switches. Each access layer switch has two gigabit uplinks to each of the 6506 switches. The 6506 switch(es) perform inter-VLAN* routing. If two of them are used, we will configure them to use load balancing HSRP. We will implement load sharing* by setting one of the 6506 switches as the active default gateway* for half of the VLAN’s and the other 6506 as the active default gateway for the other half of the VLAN’s. This will increase performance, and more importantly, add redundancy to AdTopia’s network at their headquarters, where it is most important. If one of the 6506 switches suffers a failure, then the other switch can take over. Of course, the low end package does not have a second 6500 switch, so it does not offer this additional reliability. The high end proposal utilizes Supervisor Engine* 720’s in the 6500 series switches to provide maximum performance. A 24 port CEF720 enabled3 fiber optic blade in each switch provides the uplinks for the access layer switches* . Only twelve of those ports on each switch are used in our design, giving AdTopia the ability to double the size of its headquarters by simply adding access switches. Furthermore, our design only has three blades in the 6506 2 While we have two separate proposals (“recommended” and “low end”), many of the changes could be made independently. By this, we mean that AdTopia could “mix and match” parts of both designs to meet their fiscal and functional needs. For example, AdTopia could choose to have only the one Cisco 6506 switch from the low end design, but still have the Cisco 7204 router from the higher end proposal. 3 A CEF720 enabled blade can take advantage of the full performance of a Supervisor Engine 720.8 chassis (which can hold five blades/modules and one Supervisor Engine), giving AdTopia more flexibility to adapt their network for future circumstances. A Cisco 4948 switch provides the connections to all of the internal servers hosted in New York. This switch is connected to each of the 6506’s by 10 gigabit Ethernet. A less expensive option here would be to use a single 6500 switch. Instead of using the expensive Supervisor Engine 720, we could provide the Supervisor Engine 32 instead. This does not offer the same performance, but is approximately one third of the price. We would not be able to use the same type of blade in this case, because CEF720 enabled blades are not compatible with the Supervisor Engine 32. Instead of using a separate Catalyst 4948 switch for connecting the servers, we could connect the servers directly to the 6500 switch. Each of the six Cisco 3560 access layer switches has 48 Fast Ethernet ports, and four gigabit fiber uplinks that are connected to the 6506’s. Ten Cisco Aironet 1100 access points provide wireless capabilities here. These are connected to the 3560 access switches, and receive power via Power over Ethernet4 . So, the 3560 switches provide 278 wired connections, in addition to the wireless connections provided by ten wireless access points.5 Branch Office LAN Topologies The network design of the two branch offices both feature identical topologies, making them easier to manage. Each of them is capable of connecting over 200 users to the internal AdTopia network, as well as to the Internet. A Cisco 3825 or 3845 router is connected to the Frame Relay WAN by means of either a 20 Mbps fractional T3 line, or four T1 lines. Optionally it could be connected to the Internet as well with a T1 line. (The T1 Internet connection is only for backup, under normal circumstances, all Internet traffic would run through the T3 Internet 4 Power over Ethernet provides power to the access points, and eliminates the hassle of finding outlets in the ceiling. 5 The HQ LAN topology diagram is attached at the end of this report.9 connection in New York). Access control lists on that router would ensure that the backup T1 lines cannot be used maliciously, as a way to avoid the security devices at the headquarters. Each of the branch offices also has a stack* of five Cisco 3750 switches, which connect all of the individual computers to the network. The entire stack is managed as one switch. Up to nine switches can be in one stack; this makes it easy for AdTopia to add up to 192 more employees at each branch offices before having to change the network topology. All desktops, access points, and servers at the branch offices are connected to these. Four of the switches have 48 Fast Ethernet ports. Thus, up to 192 wired connections are possible without the addition of any hardware. Ten Cisco Aironet 1100 access points are at each location to provide access to users as well. The fifth switch in the stack has 24 Gigabit ports that support Power over Ethernet. This switch supports the servers and the access points. Voice and Video Network Changes for Telephony People expect their phone systems to be highly reliable. Because telephony systems are so critical, care must be taken to ensure that they have very low amounts of downtime. The network equipment that the voice system relies upon must be solid, because any failure in the network will cause downtime for both the voice and data networks. Because of this we have added some additional redundancy to the network. We have also upgraded some of the equipment to ensure that it will handle voice traffic appropriately. Most of the redundancy we have added is to the recommended proposal. We did not add as much redundancy to our low end proposal, in an effort to keep costs down. The additional redundancy for the voice systems further enhances the advantages of our high end proposal. However, it is possible to mix and match some parts of the high end (recommended) proposal with other parts from the low end 10 proposal. We want to work with you to provide you with a network design that will fit all of your needs. In the 7200 series router at the headquarters, we have added dual power supplies. The low end proposal uses a 3845 router, which does not have dual power supplies. All calls coming from or going to outside the company will go through this voice gateway. Additionally, all calls between the offices rely upon this router because it connects to the frame relay WAN, which interconnects all AdTopia’s different locations. At the branch offices, we have upgraded the router from a Cisco 3825 to a 3845 for our recommended package. The advantage of the 3845 is that it has more network module slots. This is necessary in our high end voice design because three network modules will be used in the router. One of them will be for connecting to the Frame Relay WAN, the second is for Cisco Unity Express (Voice Mail), and the third is used for connecting to PSTN* phone trunks, which are used in case the WAN link is not available. The 3825 used in the low end design does not need three network modules, because we are using multiple T1 lines, which do not require a network module slot. Many of Cisco’s IP phones support Power over Ethernet (PoE)* . Power over Ethernet makes it easier to deploy IP telephony, because it is not necessary to use a power brick with the phones. All that has to be done is connect the phones to the network ports. For users to be able to do this, we must use a powered patch panel6 . Our recommended proposal uses sixteen T1 trunk lines for voice communications at the headquarters. This means that it can handle over 350 simultaneous calls. Our lower end proposal, however, includes only eight trunk lines to save costs. The branch offices have two 6 There are versions of the 3560 switches that support PoE by themselves, without the need for a powered patch panel. However, the higher density 48 port versions are not capable of supplying enough power for the phones on all of the ports.11 trunk lines in the low end proposal, however those are only used for backup purposes, in case the branch offices loses connectivity to the headquarters via the frame relay WAN. The high end proposal has four T1 voice lines at the branch offices. Voice traffic can withstand very little latency. This means that if voice packets take too long to reach their destination, there will be a very noticeable lag to the people talking on the phones. In a worst case scenario, the phone call could even be dropped if many packets do not make it to their destination or take excessive periods of time to do so. It is important that a network takes these issues into consideration. In our design, we plan to use QoS* to prioritize voice traffic over WAN links. Because the WAN links interconnecting the locations are much slower than the Ethernet LAN connections at site, traffic will “pile up” or be queued at the router because it will be arriving at the router faster than the router can put it onto the leased line. QoS ensures that the voice packets will be moved to the top of the queue so that their transmission will not be delayed as much. QoS can also be used to set the priority levels of other types of traffic. For instance, we could use QoS to prioritize instant messaging traffic over web traffic. Call Processing At your headquarters, call processing* is handled by either one or two Cisco Unified Communications Manager (formerly CallManager) servers, depending on which plan you look at. If two are used, they could be set up in a cluster for redundancy. Unified Communications Manager runs on the Cisco Media Convergence Server platforms, which are manufactured by HP and IBM. All of the Media Convergence Servers (MCS) in our design use hardware RAID 1 to increase their reliability. These are rack-mountable servers that run Cisco’s software to handle connections from all of the IP phones. These servers determine where the traffic needs to go. In the case of an intra-office call, the voice traffic will be send to another phone on the New York 12 City LAN. For inter-office calls, the voice packets will be sent over the frame relay WAN to the branch office. Finally, for calls that are destined for people outside of your organization, the phone call can be sent to the voice gateway* at the headquarters. The voice gateway is running on the main Cisco 7206 router at the headquarters. This router is connected to sixteen T1 voice trunks, giving it the capability to handle over 360 simultaneous calls between AdTopia and outside organizations. This number can be increased by adding more voice modules to the router. For your branch offices, we have chosen to use Cisco CallManager Express, which runs on the gateway router that connects to the frame relay WAN at the branch offices. This reduces the number of devices that have to be maintained at the branch offices, which may be beneficial if there are a limited number of IT staff members at those locations. CallManager Express is a feature license for the router, so no additional modules are used for CallManager Express. Other voice features that are running on these routers do require additional modules, as will be explained later. A very important consideration for designing an IP telephony network is what codec* to use to encode the voice traffic. We recommend the use of the G.726 codec at a 24 Kbps bit-rate to limit bandwidth used by telephone calls. In the low end plan, when using this codec, seventyfive simultaneous phone calls would saturate approximately 3 Mbps of the 6 Mbps bonded T1 lines connecting a branch office to the headquarters. The codec or bit-rate could be changed however, to improve voice quality but use more bandwidth. Alternatively, if you have more bandwidth intensive data applications, a lower bit-rate or codec could be chosen to free up more of the WAN connections for data traffic.