130 likes | 277 Views
SLAC’s Networks. Prepared by: Les Cottrell SLAC , for SLAC Network & Telecommunications groups Presented to Kimberley Clarke March 8 th 2011. Outline. Phone upgrade Core network & offsite connections Cell phone coverage, mobility Wireless, visitor subnet Monitoring LAN & WAN Gigamon
E N D
SLAC’s Networks Prepared by: LesCottrellSLAC, for SLAC Network & Telecommunications groups Presented to Kimberley Clarke March 8th 2011
Outline • Phone upgrade • Core network & offsite connections • Cell phone coverage, mobility • Wireless, visitor subnet • Monitoring LAN & WAN • Gigamon • VPN upgrade • IPv6, IPAM • Conclusions
Philosophy • Support getting the science done (safely) • The science is the mission • Uniformity of design (where possible) • Define standardized solutions & apply repeatedly • Limit vendors, technologies used • Leverage existing OCIO staff expertise • Engineered for robustness (e.g. redundancy) • OCIO is not staffed for 24/7 coverage • “Throwing smart (dedicated) people at issues” works as long as you do not throw them too often • Powerful, easy to use monitoring
Central phone system • Designed for low cost ($15/phone/month) , high reliability (1 unscheduled system fail in 22 years – loss power) • End of life: parts are 1988 vintage, last major update 2000 • 4000 phones, ~ 50% are non user (e.g. wall, conference room, FAX, emergency …, so can stay analog) • Evolutionary upgrade phone system using existing infrastructure (phone sets, closets, UPS, cabling) where possible to reduce costs and ensure maintainability while we: • Enable VoIP • Enable unified communications • Email/vmail integration, presence, mobility, SMS …
Network Scale • 70 major buildings, • Single site, but lots of worldwide collaborations • 300 layer 2 capable devices, 50 layer 3 • 15K end devices, 30K ports, • Support: • science (open high performance worldwide), • business (protected, e.g. HR, finances ..), • controls & monitoring systems (local HVAC, accelerator), • desktops with local & internet access • visitors
Local Area network • Core network: highly reliable, supports 10Gbps connections for: • high performance computing clusters, offsite, and buildings (edge) switches, • Redundancy for power, routers, power supplies etc. • Most wired desktops can be/are enabled for 100Mbps connections, we are upgrading to 1Gbps to the desktop for major buildings. • Segmenting and rationalizing subnets • Private (RFC1918), Internet access, printers • Subnet set/switch, removing flat earth • Improved security, isolation of problems & performance
Wide Area Network Access • Off site links: multi 10Gbps links • ESnet most production and also dedicated circuits (using MPLS) to BNL for ATLAS • Stanford and CENIC/Internet2 • One physical path down Sand Hill Rd AT&T conduits with IRU • SRCF 2nd redundant path • ACLs at borders
Mobility • WiFi: most buildings covered ~ 160WAPs • Open access, not authenticated: ease of use • No privileged access to SLAC resources • Visitor subnet: no servers, block inbound connections
Cell phones • Coverage outside good: on site macro sites for T-Mobile, Sprint, Metro-PCS and AT&T. Verizon going in across the street • In buildings: most are penetrated from outside. • Installed BDAs in a few heavily shielded buildings • Pico cell in one area • Pagers at end of life (atrophied ’60s technology)
Monitoring • Critical enabler for network and desktop admins • LAN: lookup routers, switches, ports, hosts, hosts for person, MAC & IP addresses, VLANs, provide: • History, uilization, temp, cpu, power use, weather maps, idle ports, topology • WAN: collaborations worldwide, E2E pingER & perfSONAR (multi NRENs) • GigaMon: capture packets outside border on 10Gbps links and inspect
Security • Improved security via ACLs, firewalls, • New VPN infrastructure going into place using IPSEC, • Easy to use visitor network, reasonable security • private VLANs, • blocking of in-bound sessions and outbound SMTP • Blocking of outbound SMTP
Future • Developing new roadmap for service types with differing security requirements: • science; business; guest/visitors; SLAC general networks (desktops etc.); internal networks such as controls, data acquisition • being ready to address IPv6 when DoE demands it • Network equipment IPv6 capable • better IP address management with delegation, • Mobile computing and unified communications