1. Information Systems
Information technology support is provided to all of ODOT’s divisions to enable them to perform their missions. This includes DMV services directly to citizens and to the traveling public through Internet traveler information (Trip Check). Direct services to trucking and automobile-related businesses are provided through various technology delivery mechanisms. ODOT’s internal staff is supported in their job functions via 200+ business application systems that support transportation planning and management, road and bridge design, Project Delivery, highway maintenance, revenue collection and financial management. Highway operations are directly supported through the development and support of Intelligent Transportation Systems. Information Systems supports the communications infrastructure of the agency through its telephone system, email, Intranet and two-way radio communications. Organizations outside of ODOT depend upon access to ODOT’s technology base. These agencies include Law Enforcement Data Systems, the Department of Human Services, Department of Revenue, Parks and Recreation, and the Department of Justice. ODOT data is made accessible to cities and counties as well as to the federal government through the Federal Highway Administration, AAMVA, IRS and others.Information Systems
Information technology support is provided to all of ODOT’s divisions to enable them to perform their missions. This includes DMV services directly to citizens and to the traveling public through Internet traveler information (Trip Check). Direct services to trucking and automobile-related businesses are provided through various technology delivery mechanisms. ODOT’s internal staff is supported in their job functions via 200+ business application systems that support transportation planning and management, road and bridge design, Project Delivery, highway maintenance, revenue collection and financial management. Highway operations are directly supported through the development and support of Intelligent Transportation Systems. Information Systems supports the communications infrastructure of the agency through its telephone system, email, Intranet and two-way radio communications. Organizations outside of ODOT depend upon access to ODOT’s technology base. These agencies include Law Enforcement Data Systems, the Department of Human Services, Department of Revenue, Parks and Recreation, and the Department of Justice. ODOT data is made accessible to cities and counties as well as to the federal government through the Federal Highway Administration, AAMVA, IRS and others.
2. Opening Remarks Focus of the Team
Doing things right (efficiency) versus
Doing the right things (effectiveness)
Illustration – Peter F. Drucker (Henry Ford vs. Buggy Whip Mfg.)
Turner & Cook Buggy Whip Co. – had the “best” buggy whips ever made, their sales were the highest they had ever been, they were very “efficient” and very profitable…right up until the day that Henry Ford rolled his first Model T off the assembly line.
Individually we as autonomous Agencies might have the “best” and “most efficient” Banyon Vines Network, or best IPX traffic, or best WINS install base…but Technology is changing and in a consolidated effort we’ve got to be “effective” as well.
Point – we’ve purposely stayed away from “how things are done today” to “how could it be done in the future” given our changing Technology
Introduction to Mike Dawson – My Chauffeur
3. CNIC Network Workgroup�Team Membership – Detailed Design Accenture
Chris Bell, Mike Dawson, Zachary Gustafson, David Heimlicher
DAS
Frank Hoonhout, Steve Nelson
DOC
Alexandra Smith
DOR
Desi Villaescusa
DHS
Al Grapoli, Duane Smith
ODOT
Dennis Jorgenson, Randy Whitehouse
State PM / Contracted PM
Brian Sipe / Doug Freimarck
4. CNIC Network Work Group Group chartered to define Network Detail Design for CNIC
Group met weekly to discuss the design components and work through issues
Topics discussed include:
Data Center Local Area Network (LAN) Design Recommendations
Core Network Design Recommendations
Wide Area Network (WAN) Design Recommendations
Remote Access Design Recommendations
Network Management Design Recommendations (Tools)
Network Infrastructure Services Design Recommendations
Network Naming Convention Design Recommendations
5. Data Center LAN Design Recommendations SDC Security Zones
Isolate low, medium, and high trust zones w/ firewalls and physically separate the network equipment.
Allow for additional, higher-security compartments within the High Trust Zone
SDC Logical Layout
Core Layer Routers – Cisco 7600’s
Main Distribution Frames – Cisco 6500 Switches / Routers (Layers 2 & 3)
Rack Layer Distribution – Cisco 6500 Switches
Access Layer – Cisco 3750 Switches
Cross Zoned Firewalls – Checkpoint, built on hardened O/S (Linux kernel)
Production Environment – All Network Equipment deployed in “redundant” pairs
6. Data Center LAN Design Recommendations�(continued) SDC Physical Layout
Core Routers – deployed in Telecom Room at fiber demarc
Main Distribution Switches – at opposite ends of raised floor area
Rack Distribution Switches – (redundant pairs) in center rack of each row
Access Switches – (redundant pairs) in each server rack
Connect Core Routers to Main Distribution Switches – via 1 GB under floor fiber
Connect Main Distribution Switches to Rack Distribution Switches – via 10GB under floor fiber
Connect Rack Distribution Switches to Access Switches – via 1GB overhead fiber
Connect Access Switches to Servers – via in-rack copper or fiber at 100MB or 1GB
7. Data Center Logical Network Design
8. Data Center LAN Design Recommendations�(continued) SDC IP Addressing Scheme
Use private IP Addresses for all servers without a specific requirement for public IP addresses
Use public IP Addresses ranges for servers in low trust zone that require public addresses and for NATTING on privately addressed servers that require access from outside the State Network
SDC VLAN Design
Create unique VLAN ranges for each Trust Zone and each environment within the Trust Zones
Do not allocate VLAN numbers higher than 999
Allocate 10 VLANS for management, 390 for the low Trust Zone, 300 for the medium Trust Zone, 200 for the high Trust Zone, and 100 for higher-Trust compartments
9. Core Network Design Recommendations Salem Metropolitan Area Network (MAN)
Install fiber to close the MAN loop between C4 building & State Penitentiary
Install fiber to add a dual-entry connection to the MAN loop for the SDC
Extend the Qwest SHNS Ring to include the SDC
Distributed Network Core
Close the network core “loop” with a temporary 100MB connection between Eugene and Bend, until a more cost effective permanent 100MB connection can be negotiated
Upgrade the core routers in Bend and Burns to Cisco 7600’s
Utilize MPLS on the network core and distribution layers to isolate agency traffic
Maintain existing agency routing protocols through initial move, and migrate to a single OSPF area design with BGP connections to external networks after the first 3 agencies are moved
Create additional core network nodes in Medford and Pendleton
10. Wide Area Network Design Recommendations Maintain - the current field office IP addressing schemes through the consolidation
Transition - all field offices to the 10.x.x.x address space by the conclusion of the 2005-2007 biennium
Utilize - VLAN numbers that provide “unique” identifiers for the various agencies at a field office
Consolidate - WAN circuits at 28 sites across the State using MPLS-enabled routers to extend the MPLS network to the field office
Over the course of the 2005-2007 biennium, migrate access circuits from frame relay to dedicated connectivity for sites that are local to the network core nodes (per the ongoing analysis by the DAS NOC)
11. Remote Access Design Recommendations Dial-up
Utilize the existing DAS points of presence to provide state-wide dial-up access, centralizing management of dialup at the SDC
VPN
Continue to support agency VPN platforms during migration period of SDC
Standardize on Cisco products for individual client-based VPN, centralizing management and VPN termination pts. in the low trust zone of the SDC LAN
Standardize on Whale Communications products for individual SSL-based VPN, centralizing management and VPN termination points in the low trust zone of the SDC LAN
Standardize on Cisco products for site-to-site VPN, centralizing management and VPN termination pts. in the low trust zone of the SDC LAN
Allow the CNIC Security Work Group to review and possibly modify the VPN recommendations during the detailed design stage
Citrix
Continue deploying Citrix technology where appropriate, centralizing servers and management of servers in the low trust zone of the SDC LAN
12. Network Management Design Recommendations (Tools) Adopt HP Openview as the Enterprise Management Tool
Adopt Cisco NatKit as the Cisco Device Management Tool, assuming that the Cisco advanced services contract will be continued at the SDC. [Otherwise, adopt CiscoWorks as the Cisco Device Management Tool]
Adopt a joint solution with Cisco Network Analysis Module (NAM), Netscout Network Performance Manager and Concord e-Health as the Network Monitoring Tool
Adopt WildPackets Etherpeek NX with iNetTools as the Protocol Analysis Tool
Adopt Solarwinds as the Network Management Toolkit
Adopt Cisco IP Solution Center as the MPLS Management Tool
Adopt AirMagnet Analyzer and Surveyor as the Wireless LAN Management Tool
13. Network Infrastructure Services Design Recommendations DNS
Provide external DNS services for all agencies using BIND
Provide secondary internal DNS services to all agencies, establishing a backup to the agency DNS services
Provide primary internal DNS services as an optional service to those agencies that wish to take advantage of a centralized DNS service
WINS
Phase WINS out of the environment in favor of a more versatile DNS solution
DHCP
Provide centralized DHCP services to the internal SDC users and to agencies that want to take advantage of a centralized DHCP service
Other
Provide DNS, DHCP, and Directory Services using Microsoft product sets
Revisit this product recommendation at the time of future directory services consolidation
14. Network Naming Convention Design Recommendations Employ names that reflect location, device type, trust zone, and environment designator
Use device type designators for switch (-s), router (-r), firewall (-f), wireless root device (-w), and wireless client device (-wc)
Within the SDC MPOE and MDF, adopt the convention sdc-LLLL-XN, where:
LLLL is either “MPOE” or “MDF”
X is the device type
N is a numerical designator to ensure uniqueness
15. Network Naming Convention Design Recommendations (continued) Within the SDC main rack area, adopt the convention sdc-RK-XN-AA, where:
R is the row number
K is the rack letter
X is the device type
N is a numerical designator to ensure uniqueness
A is an additional designator to indicate a trust zone other than low and an environment other than production
At field office sites, adopt the convention CCC-STREETID-XN, where:
CCC is a three-character city code
STREETID is a variable length (maximum 8 characters) location code, which will typically reflect the street or address of the facility
X is the device type designator, as defined above in the generic naming conventions
N is a numerical designator to ensure uniqueness
16. Timeline
17. CNIC Network Work Group Questions?
Comments?
Piggy-backs?
Editorials?
