340 likes | 417 Views
CPE 5013 Assignment Number 2 Network Administration Project. Presentation Contents. Organisational Context IP Addressing Scheme Selected site technologies LAN/WAN Connections Devices Employed Security Overall Network Topology Other Considerations Cost and Time to Deploy.
E N D
Presentation Contents • Organisational Context • IP Addressing Scheme • Selected site technologies • LAN/WAN Connections • Devices Employed • Security • Overall Network Topology • Other Considerations • Cost and Time to Deploy
The Organisation - WorthWools • 10 Business Units (BU) + 1 Corporate Group • Each BU has 15 Retail Sites • 4 Large Local BUs • 4 Small Local BUs • 2 Large Overseas BUs • Each Local BU has 3 Retail Sites in each State • 7 Headquarters Offices • 2 Overseas Regional HQs • 4 State Regional HQ • 1 Corporate HQ – also a State Regional HQ
Large Retail Site Unit Office/Site Structure 1 Corporate Headquarters 4 2 State Overseas Region HQ Region HQ 4 4 2 Large Small Retail Unit Retail Unit Large Small Large Retail Site 1 Retail Site 1 Retail Site 1 15 15 15 Large Small Large Retail Site 15 Retail Site 15 Retail Site 15
IP Addressing – 10.x.x.x • Minimise internet routable addresses – cost/security • External IP address for each retail outlet and each HQ only • Also needed for externally accessible servers - SSL gateway • Option of 3rd party hosting for external web site • All hosts to be assigned a private IP address 10.x.x.x • Each site to be internally routable • 10 Business Units – allow maximum 32 – requires 5 bits • 15 Retail Outlets per BU – allow maximum 32 – requires 5 bits • 7 Headquarters sites also need to be allocated • Allocate 10 bits (/18 subnet mask) for site ID using VLSM
IP Addressing – 10.x.x.x /18BU/Outlet Illustration • BU Outlet Host ID • 10. 11111 111.11 000000.00000000 • IP Network Address for BU #1, Outlet #1 ? • 10. 00001 000.01 000000.00000000 • 10. 00001 000.01 000000.00000000 • 10.1000.1000000.0 • 10.8.64.0
IP AddressingVLAN/Host Addresses • Still have 14 bits available • Much more than needed for number of hosts at each site • Can use some bits for further subnetting – VLANs • VLANs useful for security and decreased congestion • eg. Accounting different VLAN to other departments • Reduced traffic visibility to internal staff or hackers • Able to develop firewall rules to provide further controls • Reduces broadcast traffic – restricted to host on same VLAN • Allocate 6 bits for VLAN Number – maximum 64 per site • Remaining octet used for host ID – maximum 254 hosts per VLAN
IP Addressing – 10.x.x.xFurther Subnetting via VLAN • BU Outlet VLAN Host ID • 10. 11111 111.11 111111. 11111111 • IP Address for BU #1, Outlet #1, VLAN #1, Host #1? • 10. 00001 000.01 000001. 00000001 • 10. 00001 000.01 000001. 00000001 • 10.1000.1000001.1 • 10.8.65.1
User Requirements • 2 users per Small BU Retail Site • Limited traffic, standard applications • 20 users per Large Retail Site • Moderate traffic, standard applications • 20 users per Overseas Regional HQ • Moderate traffic, standard, custom and ad-hoc applications • 80 users per State Regional HQ • Moderate traffic, standard, custom and ad-hoc applications • 100 users per Corporate HQ • Moderate traffic, standard, custom and ad-hoc applications
Corporate Objectives • Ensure functionality • Match application requirements • Infrastructure match for traffic requirement • Minimise fixed and variable costs • Lowest cost hardware • Low maintenance costs • Communications and data secure • Traffic encrypted • Secure data storage & regular backups • Robust configuration/patching/upgrade management • Maximise uptime • Rapid problem resolution • Scalability
Selected Technology – Small Retail • Thin client PCs • Connected to corporate HQ via internet and SSL • Applications executed remotely - virtualization • Functionality • Limited applications available via terminal server • Low traffic requirement allows ADSL internet connection • Cost • Low cost hardware • Ongoing Citrix Presentation Server licensing fees • Claimed that support costs cut by 80-90% vs PC • Security • Data kept centrally and backed up • Applications kept, patched, configured centrally • SSL VPN connection, Unified Threat Management software • Uptime • Lower support requirement, all clients the same for sparing • Extremely scalable
SSL/Internet Request Document Thin Client or Mobile User SSL Encypted VPN Corporate HQ – Small Retail Regional HQ – Mobile User Virtual Terminal Sessions Small Retail Site or Mobile User
Selected Technology – Large Retail • “Smart Client” PCs • Connected to Regional HQ via Leased Line with IPSec VPN • Applications, data streamed from HQ - cached on local PC • Reduced load on server and communications traffic • Functionality • Speed requirement met via leased line and local processing • Cost • Low cost hardware • Ongoing Citrix Presentation Server licensing fees • Low support costs • Security • Data kept centrally and backed up • Applications kept, patched, configured centrally • IPSec VPN connection, VLANs, Firewalls • Uptime • Lower support requirement, all clients the same for sparing • Extremely scalable
Leased Line IPSec VPN “Smart” Client Regional HQ Software Streaming Large Retail Site
Large Retail Topology Leased Line Hardware IPSec VPN To Regional HQ Workstation 3 VLAN 10 Router Switch Workstation 2 VLAN 20 Workstation 1 VLAN 10
Selected Technology – HQs • Full PCs • HQs connected via Leased Lines with IPSec VPN • Applications kept on local PC • Data policies for use of local file server vs PC hard disk • Functionality • Custom and ad-hoc applications available • Speed requirement met via leased line and local processing • Cost • Highest cost hardware • Scale economies through centralised IT resource at HQ for support • Security • Data policies for use of local file server • IPSec VPN connections, VLANs, Firewalls, DMZ • E-Mail Server kept on DMZ at Corporate HQ • Web Server kept on DMZ at Corporate HQ or hosted externally • Uptime • Centralised HQ support • Scalability • IP addressing to enable growth
Regional HQ Topology Internet Including SSL VPN From Mobile User Leased Line Hardware IPSec VPN From Large Retail Workstation 3 VLAN 10 Router Router Switch De-Militarized Zone Proxy Server Workstation 2 VLAN 20 Workstation 1 VLAN 10 Servers Including Virtual Terminal Server Laptop PC VLAN 30
Corporate/Overseas HQ Topology Leased Line Hardware IPSec VPN From Large Retail and Regional HQ Internet Including SSL VPN From Small Retail/Mobile Workstation 3 VLAN 10 Router Router Switch De-Militarized Zone Proxy Server Workstation 2 VLAN 20 Workstation 1 VLAN 10 Servers Including Virtual Terminal Server, Mail Server, Web Server Laptop PC VLAN 30
WorthWools – The Network Overseas HQ 2 Countries Corporate HQ 1 State IPSec VPN Mobile User IPSec VPN Internet Small Retail Region HQ 4 States Large Retail 12 per Region HQ IPSec VPN
Network TopologyAssignment 1 Link - Wireless • No wireless at retail sites • Not necessary for usage • Wireless perimeter too physically close to public areas • At headquarters allow wireless • Able to roam between offices and meeting rooms • Security implementation – 802.11i • 802.1X EAP-TLS Authentication – Radius/Certificates • AES Encryption • Access Points central – limited signal beyond perimeter • Rogue access point and intrusion detection sensors
Network TopologyReliability/Uptime • Measures to consider for increased reliability/uptime • Server mirroring • RAID data storage • Leased Line ISP reliability/redundant routing paths • Failover to connections via internet • DNS/Web Caching at regional HQs • Mailbox servers at regional HQs – Gateway at corporate HQ • Long DHCP lease periods at retail sites
755m 47pp 16m pp 18m Office 1 Office 2 Office 3 Office 4 Office 5 Office 6 104m 6pp 12m 22m 18m 16m 20m 16m 48m 6pp 9m 21m 13m 15m 17m 19m 9m 180m 10pp 8m 10m 8m 8m 15m 19m 17m 23m 21m MDF 7m 7m 15m 19m 23m 9m 15m 19m 23m 9m 348m 18pp 15m 19m 23m 10m 7m 1pp 15m 19m 23m 10m 16m 20m 24m 11m 16m 20m 24m 11m Elevator 60m 6pp Data Cabling Cost EstimateCable Lengths – HQ Floor
Data Cabling Cost Estimate • Cat 6 cable to hosts, host leads, wall connectors • Existing cable needs to be removed ? • Below floor or in ceiling ? • Raceways and cable trays • Multimode fibre backbone – laid, not pulled • Cabinets, redundant power supplies, patch panels, patch leads • Building modifications and cable shielding in certain places • Labour cost – design, installation, testing and certification • Varies Widely - use rule of thumb total cost of $300/connection • Corporate HQ = 150 connections = $45,000 • Regional HQ = 100 connections = $30,000 • Large Retail Site = 20 connections = $6,000 • Small Retail Site = 2 connections = $600
Costs - Small Retail Site • Low up front cost due to basic PC • Additional advantage of low ongoing support costs, stable platform • Gartner estimate of annual cost of $8-10k annually for unmanaged PC
Costs - Large Retail Site • Low up front cost due to basic PC and scale economies • Low ongoing support costs, stable platform vs annual license fees • Still very economical vs Gartner estimate
Costs – Overseas HQ • Higher up front cost – could be offset via hardware leasing • Higher ongoing support costs due to additional application requirements • Support costs will be high due to remote smaller HQ
Costs – Regional HQ • Higher up front cost – could be offset via hardware leasing • No client licensing fees after first year • Higher ongoing support costs due to additional application requirements • Costs, security contained due to concentrated HQ site
Costs – Corporate HQ • Similiar to State regional HQ • Additional costs due to central services – E-Mail Gateway, Web Site • Central storage site • SSL VPN Gateway for small retail sites
Total Up-Front Cost • Total first year cost of $ 4.5 million • Up front cost reduced due to adoption of minimalist client philosophy • Hardware leasing available if further cost smoothing preferred • Inexpensive given size of organisation
Total Per Annum Cost • Annual costs higher due to licensing fees • Small price to pay if promise of reduced IT visits by 80-90% results • Lower support costs • Higher uptime – revenue impact
Network TopologyTime to Roll Out • Accelerated roll-out • Minimalist Thin Client implementation at small sites • Minimalist Smart Client implementation at large sites • Option to pilot the configurations • Identical implementations across Business Units • Rapid roll out once one implementation type stabilised • Total time for deployment dependent on budget • For an organisation this large expected time circa two years