CPE 5013 Assignment Number 2 Network Administration Project
CPE 5013 Assignment Number 2 Network Administration Project
Presentation Contents • Organisational Context • IP Addressing Scheme • Selected site technologies • LAN/WAN Connections • Devices Employed • Security • Overall Network Topology • Other Considerations • Cost and Time to Deploy
The Organisation - Worth. Wools • 10 Business Units (BU) + 1 Corporate Group • Each BU has 15 Retail Sites • 4 Large Local BUs • 4 Small Local BUs • 2 Large Overseas BUs • Each Local BU has 3 Retail Sites in each State • 7 Headquarters Offices • 2 Overseas Regional HQs • 4 State Regional HQ • 1 Corporate HQ – also a State Regional HQ
Worth. Wools - Business Units Business Unit Local Size Type Way. Safe Local Large Supermarket WBig Local Large Hardware Works. Office Local Large Office Supplies Lo. Bi Local Large Supermarket Spencer. Marks Overseas Large Department Store Ware. House. The Overseas Large Hardware Smith. Dick Local Small Electronics Land. Liquor Local Small Liquor Tex. Cal Local Small Gasoline Rooster. Red Local Small Fast Food Corporate Local NA Corporate
Office/Site Structure 1 Corporate Headquarters 4 2 State Overseas Region HQ 4 4 2 Large Small Large Retail Unit Retail Site Unit Large Small Large Retail Site 1 15 15 15 Large Small Large Retail Site 15
IP Addressing – 10. x. x. x • Minimise internet routable addresses – cost/security • External IP address for each retail outlet and each HQ only • Also needed for externally accessible servers - SSL gateway • Option of 3 rd party hosting for external web site • All hosts to be assigned a private IP address 10. x. x. x • Each site to be internally routable • 10 Business Units – allow maximum 32 – requires 5 bits • 15 Retail Outlets per BU – allow maximum 32 – requires 5 bits • 7 Headquarters sites also need to be allocated • Allocate 10 bits (/18 subnet mask) for site ID using VLSM
IP Addressing – 10. x. x. x /18 BU/Outlet Illustration BU Outlet Host ID • 10. 11111 111. 11 000000 IP Network Address for BU #1, Outlet #1 ? • 10. 00001 00000000 • 10. 1000000. 0 • 10. 8. 64. 0
Business Unit/Retail Site IP Addressing – 10. 0 /18 Bus Unit Network Store Number Name Address Number Net No. B/Cast 1 Way. Safe 10. 8. 0. 0 10. 8. 63. 255 32 10. 15. 192. 0 10. 15. 255 2 WBig 10. 16. 0. 0 10. 16. 63. 255 32 10. 23. 192. 255 10. 23. 255 3 Works. Office 10. 24. 0. 0 10. 24. 63. 255 32 10. 31. 192. 0 10. 31. 255 4 Lo. Bi 10. 32. 0. 0 10. 32. 63. 255 32 10. 39. 192. 0 10. 39. 255 5 Spencer. Marks 10. 40. 0. 0 10. 40. 63. 255 32 10. 47. 192. 0 10. 47. 255 6 Ware. House. The 10. 48. 0. 0 10. 48. 63. 255 32 10. 55. 192. 0 10. 55. 255 7 Smith. Dick 10. 56. 0. 0 10. 56. 63. 255 32 10. 63. 192. 0 10. 63. 255 8 Land. Liquor 10. 64. 0. 0 10. 64. 63. 255 32 10. 71. 192. 0 10. 71. 255 9 Tex. Cal 10. 72. 0. 0 10. 72. 63. 255 32 10. 79. 192. 0 10. 79. 255 10 Rooster. Red 10. 80. 0. 0 10. 80. 63. 255 32 10. 87. 192. 0 10. 87. 255 11 Headquarters 10. 88. 0. 0 10. 88. 63. 255 32 10. 95. 192. 0 10. 95. 255 12 Unused 10. 96. 0. 0 10. 96. 63. 255 32 10. 103. 192. 0 10. 103. 255 31 Unused 10. 248. 0. 0 10. 248. 63. 255 32 10. 255. 192. 0 10. 255
IP Addressing VLAN/Host Addresses • Still have 14 bits available • Much more than needed for number of hosts at each site • Can use some bits for further subnetting – VLANs • VLANs useful for security and decreased congestion • eg. Accounting different VLAN to other departments • Reduced traffic visibility to internal staff or hackers • Able to develop firewall rules to provide further controls • Reduces broadcast traffic – restricted to host on same VLAN • Allocate 6 bits for VLAN Number – maximum 64 per site • Remaining octet used for host ID – maximum 254 hosts per VLAN
IP Addressing – 10. x. x. x Further Subnetting via VLAN BU Outlet VLAN Host ID • 10. 111111. 1111 IP Address for BU #1, Outlet #1, VLAN #1, Host #1? • 10. 00001 000001. 00000001 • 10. 1000001. 1 • 10. 8. 65. 1
Further Subnetting – VLANs Store VLAN Name IP Number Name Net No. B/Cast Way. Safe No. 1 10. 8. 64. 0 1 Reserved 10. 8. 65. 0 10. 8. 65. 255 2 Managers 10. 8. 66. 0 10. 8. 66. 255 3 Accounting 10. 8. 67. 0 10. 8. 67. 255 4 Other 10. 8. 68. 0 10. 8. 68. 255 63 Unused 10. 8. 127. 0 10. 8. 127. 255
User Requirements • 2 users per Small BU Retail Site • Limited traffic, standard applications • 20 users per Large Retail Site • Moderate traffic, standard applications • 20 users per Overseas Regional HQ • Moderate traffic, standard, custom and ad-hoc applications • 80 users per State Regional HQ • Moderate traffic, standard, custom and ad-hoc applications • 100 users per Corporate HQ • Moderate traffic, standard, custom and ad-hoc applications
Corporate Objectives • Ensure functionality • Match application requirements • Infrastructure match for traffic requirement • Minimise fixed and variable costs • Lowest cost hardware • Low maintenance costs • Communications and data secure • Traffic encrypted • Secure data storage & regular backups • Robust configuration/patching/upgrade management • Maximise uptime • Rapid problem resolution • Scalability
Selected Technology – Small Retail • Thin client PCs • Connected to corporate HQ via internet and SSL • Applications executed remotely - virtualization • Functionality • Limited applications available via terminal server • Low traffic requirement allows ADSL internet connection • Cost • Low cost hardware • Ongoing Citrix Presentation Server licensing fees • Claimed that support costs cut by 80 -90% vs PC • Security • Data kept centrally and backed up • Applications kept, patched, configured centrally • SSL VPN connection, Unified Threat Management software • Uptime • Lower support requirement, all clients the same for sparing • Extremely scalable
Small Retail Site or Mobile User SSL/Internet Request Document Thin Client or Mobile User SSL Encypted VPN Corporate HQ – Small Retail Regional HQ – Mobile User Virtual Terminal Sessions
Selected Technology – Large Retail • “Smart Client” PCs • Connected to Regional HQ via Leased Line with IPSec VPN • Applications, data streamed from HQ - cached on local PC • Reduced load on server and communications traffic • Functionality • Speed requirement met via leased line and local processing • Cost • Low cost hardware • Ongoing Citrix Presentation Server licensing fees • Low support costs • Security • Data kept centrally and backed up • Applications kept, patched, configured centrally • IPSec VPN connection, VLANs, Firewalls • Uptime • Lower support requirement, all clients the same for sparing • Extremely scalable
Large Retail Site Leased Line IPSec VPN “Smart” Client Regional HQ Software Streaming
Large Retail Topology Leased Line Hardware IPSec VPN To Regional HQ Workstation 3 VLAN 10 Router Switch Workstation 1 VLAN 10 Workstation 2 VLAN 20
Selected Technology – HQs • Full PCs • HQs connected via Leased Lines with IPSec VPN • Applications kept on local PC • Data policies for use of local file server vs PC hard disk • Functionality • Custom and ad-hoc applications available • Speed requirement met via leased line and local processing • Cost • Highest cost hardware • Scale economies through centralised IT resource at HQ for support • Security • Data policies for use of local file server • IPSec VPN connections, VLANs, Firewalls, DMZ • E-Mail Server kept on DMZ at Corporate HQ • Web Server kept on DMZ at Corporate HQ or hosted externally • Uptime • Centralised HQ support • Scalability • IP addressing to enable growth
Regional HQ Topology Internet Including SSL VPN From Mobile User Leased Line Hardware IPSec VPN From Large Retail Workstation 3 VLAN 10 Router Switch De-Militarized Zone Proxy Server Workstation 1 VLAN 10 Servers Including Virtual Terminal Server Laptop PC VLAN 30 Workstation 2 VLAN 20
Corporate/Overseas HQ Topology Leased Line Hardware IPSec VPN From Large Retail and Regional HQ Internet Including SSL VPN From Small Retail/Mobile Workstation 3 VLAN 10 Router Switch De-Militarized Zone Proxy Server Workstation 1 VLAN 10 Servers Including Virtual Terminal Server, Mail Server, Web Server Laptop PC VLAN 30 Workstation 2 VLAN 20
Worth. Wools – The Network Overseas HQ 2 Countries Corporate HQ 1 State IPSec VPN Mobile User Internet IPSec VPN Small Retail Region HQ 4 States Large Retail 12 per Region HQ IPSec VPN
Network Topology Assignment 1 Link - Wireless • No wireless at retail sites • Not necessary for usage • Wireless perimeter too physically close to public areas • At headquarters allow wireless • Able to roam between offices and meeting rooms • Security implementation – 802. 11 i • 802. 1 X EAP-TLS Authentication – Radius/Certificates • AES Encryption • Access Points central – limited signal beyond perimeter • Rogue access point and intrusion detection sensors
Network Topology Reliability/Uptime • Measures to consider for increased reliability/uptime • Server mirroring • RAID data storage • Leased Line ISP reliability/redundant routing paths • Failover to connections via internet • DNS/Web Caching at regional HQs • Mailbox servers at regional HQs – Gateway at corporate HQ • Long DHCP lease periods at retail sites
Data Cabling Cost Estimate Cable Lengths – HQ Floor 755 m 47 pp 16 m pp Office 1 18 m Office 2 12 m 16 m Office 3 Office 4 18 m 16 m Office 5 22 m 20 m Office 6 104 m 6 pp 48 m 6 pp 9 m 13 m 9 m 15 m 17 m 21 m 19 m 180 m 10 pp 8 m 8 m 8 m MDF 15 m 17 m 19 m 10 m 23 m 21 m 7 m 7 m 15 m 9 m 7 m 1 pp 19 m 15 m 10 m 16 m 11 m Elevator 60 m 6 pp 23 m 19 m 20 m 16 m 23 m 24 m 20 m 24 m 348 m 18 pp
Data Cabling Cost Estimate • Cat 6 cable to hosts, host leads, wall connectors • Existing cable needs to be removed ? • Below floor or in ceiling ? • Raceways and cable trays • Multimode fibre backbone – laid, not pulled • Cabinets, redundant power supplies, patch panels, patch leads • Building modifications and cable shielding in certain places • Labour cost – design, installation, testing and certification • Varies Widely - use rule of thumb total cost of $300/connection • Corporate HQ = 150 connections = $45, 000 • Regional HQ = 100 connections = $30, 000 • Large Retail Site = 20 connections = $6, 000 • Small Retail Site = 2 connections = $600
Costs - Small Retail Site No. Equipment Up Front Per Annum 2 Thin Client PC $2, 000 0 1 Juniper SSG 20 ADSL Router and Unified Threat Mgmt $1, 500 $100 1 ISP Connection 0 $500 2 Citrix Presentation Server Client $600 $80 2 Windows Terminal Server $1, 500 0 1 Cabling $600 $0 1/15 HP Pro. Liant Server - 1 U @ Corporate HQ $500 $0 1/15 Citrix Metaframe Server @ Corporate HQ $0 $500 Total $6, 700 $1, 180 Total Per User $3, 350 $590 • Low up front cost due to basic PC • Additional advantage of low ongoing support costs, stable platform • Gartner estimate of annual cost of $8 -10 k annually for unmanaged PC
Costs - Large Retail Site No. Equipment Up Front Per Annum 20 Diskless Smart Client PC $20, 000 $0 1 Juniper SSG 140 Router with Hardware IPSec $4, 000 $0 1 Leased Line to Regional HQ $0 $12, 000 1 Cisco Catalyst 2900 24 port VLAN Switch $1000 $0 20 Citrix Ardence Smart. Client Software $0 $3, 000 1 Cabling $6, 000 $0 1/12 Cisco 3060 100 Mbps VPN Concentrator @ Regional HQ $2, 000 $0 1/6 Dell Power. Edge 2950 Server – 4. 5 TB storage @ Regional HQ $500 $0 Total $33, 500 $15, 000 Total Per User $1, 575 $750 • Low up front cost due to basic PC and scale economies • Low ongoing support costs, stable platform vs annual license fees • Still very economical vs Gartner estimate
Costs – Overseas HQ No. Equipment Up Front Per Annum 20 Normal PCs $30, 000 $0 1 Cisco 2800 Router $4, 000 $0 1 Cisco 3060 100 Mbps VPN Concentrator See large retail $0 1 Cisco 2800 series Router $4, 000 $0 1 Cisco Catalyst 2900 24 port VLAN Switch $1, 000 $0 1 Cabling $6, 000 $0 2 Dell Power. Edge 2950 Server – 4. 5 TB storage See large retail $0 Total $45, 000 $0 Total Per User (not incl NAS) $2, 250 $0 • Higher up front cost – could be offset via hardware leasing • Higher ongoing support costs due to additional application requirements • Support costs will be high due to remote smaller HQ
Costs – Regional HQ No. Equipment Up Front Per Annum 80 Normal PCs $120, 000 $0 1 Cisco 3845 Router $12, 000 $0 1 Cisco 3060 100 Mbps VPN Concentrator See large retail $0 1 Cisco 2800 series Router $4, 000 $0 4 Cisco Catalyst 2900 24 port VLAN Switch $4, 000 $0 1 Cabling $30, 000 $0 2 Dell Power. Edge 2950 Server – 4. 5 TB storage see large retail $0 Total $170, 000 $0 Total Per User $2, 125 $0 • Higher up front cost – could be offset via hardware leasing • No client licensing fees after first year • Higher ongoing support costs due to additional application requirements • Costs, security contained due to concentrated HQ site
Costs – Corporate HQ No. Equipment Up Front Per Annum 100 Normal PCs $150, 000 $0 1 Cisco 3845 Router $12, 000 $0 1 Cisco 3060 100 Mbps VPN Concentrator See large retail $0 4 HP Pro. Liant Server - 1 U See small retail $0 1 Cisco 2800 series Router $4, 000 $0 6 Catalyst 2900 24 port VLAN Switch $6, 000 $0 1 Cabling $30, 000 $0 2 Dell Power. Edge 2950 Server – 4. 5 TB storage See large retail $0 1 Dell Power. Vault NX 1950 - Corporate NAS/SAN $30, 000 $0 Total $232, 000 $0 Total Per User (not incl NAS) $2, 020 $0 • Similiar to State regional HQ • Additional costs due to central services – E-Mail Gateway, Web Site • Central storage site • SSL VPN Gateway for small retail sites
Total Up-Front Cost No. Type Unit Cost Total 60 Small Retail $6, 700 $402, 000 90 Large Retail $33, 500 $3, 015, 000 2 Overseas HQ $45, 000 $90, 000 4 Regional HQ $170, 000 $680, 000 1 Corporate HQ $232, 000 Total $4, 419, 000 Total per User (2, 380 users) $1, 860 • Total first year cost of $ 4. 5 million • Up front cost reduced due to adoption of minimalist client philosophy • Hardware leasing available if further cost smoothing preferred • Inexpensive given size of organisation
Total Per Annum Cost No. Type Unit Cost Total 60 Small Retail $1, 180 $70, 800 90 Large Retail $15, 000 $1, 350, 000 2 Overseas HQ $0 $0 4 Regional HQ $0 $0 1 Corporate HQ $0 $0 Total $1, 420, 800 Total per User (2, 380 users) $765 • Annual costs higher due to licensing fees • Small price to pay if promise of reduced IT visits by 80 -90% results • Lower support costs • Higher uptime – revenue impact
Network Topology Time to Roll Out • Accelerated roll-out • Minimalist Thin Client implementation at small sites • Minimalist Smart Client implementation at large sites • Option to pilot the configurations • Identical implementations across Business Units • Rapid roll out once one implementation type stabilised • Total time for deployment dependent on budget • For an organisation this large expected time circa two years
- Slides: 34