CPE 5013 Assignment Number 2 Network Administration Project

CPE 5013Assignment Number 2

Network Administration Project

Presentation Contents• Organisational Context

• IP Addressing Scheme

• Selected site technologies

• LAN/WAN Connections

• Devices Employed

• Security

• Overall Network Topology

• Other Considerations

• Cost and Time to Deploy

The Organisation - WorthWools• 10 Business Units (BU) + 1 Corporate Group

• Each BU has 15 Retail Sites

• 4 Large Local BUs

• 4 Small Local BUs

• 2 Large Overseas BUs

• Each Local BU has 3 Retail Sites in each State

• 7 Headquarters Offices

• 2 Overseas Regional HQs

• 4 State Regional HQ

• 1 Corporate HQ – also a State Regional HQ

WorthWools - Business UnitsBusiness Unit Local Size Type

WaySafe Local Large Supermarket

WBig Local Large Hardware

WorksOffice Local Large Office Supplies

LoBi Local Large Supermarket

SpencerMarks Overseas Large Department Store

WareHouseThe Overseas Large Hardware

SmithDick Local Small Electronics

LandLiquor Local Small Liquor

TexCal Local Small Gasoline

RoosterRed Local Small Fast Food

Corporate Local NA Corporate

Office/Site Structure

Corporate Headquarters

Overseas

Region HQ

State

Region HQ

Large

Retail Site Unit

Large

Retail Site 15

Large

Retail Site 1

Large

Retail Site 1

Large

Retail Site 15

Large

Retail Unit

Small

Retail Unit

Small

Retail Site 1

Small

Retail Site 15

1

4 2

244

15 1515

IP Addressing – 10.x.x.x

• Minimise internet routable addresses – cost/security

• External IP address for each retail outlet and each HQ only

• Also needed for externally accessible servers - SSL gateway

• Option of 3rd party hosting for external web site

• All hosts to be assigned a private IP address 10.x.x.x

• Each site to be internally routable

• 10 Business Units – allow maximum 32 – requires 5 bits

• 15 Retail Outlets per BU – allow maximum 32 – requires 5 bits

• 7 Headquarters sites also need to be allocated

• Allocate 10 bits (/18 subnet mask) for site ID using VLSM

IP Addressing – 10.x.x.x /18BU/Outlet Illustration

BU Outlet Host ID

• 10. 11111 111.11 000000.00000000

IP Network Address for BU #1, Outlet #1 ?

• 10. 00001 000.01 000000.00000000

• 10. 00001 000.01 000000.00000000

• 10.1000.1000000.0

• 10.8.64.0

Business Unit/Retail Site IP Addressing – 10.0.0.0 /18

Bus Unit Bus Unit Network Store Store Store

Number Name Address Number Net No. B/Cast

1 WaySafe 10.8.0.0 1 10.8.0.0 10.8.63.255

32 10.15.192.0 10.15.255.255

2 WBig 10.16.0.0 1 10.16.0.0 10.16.63.255

32 10.23.192.255 10.23.255.255

3 WorksOffice 10.24.0.0 1 10.24.0.0 10.24.63.255

32 10.31.192.0 10.31.255.255

4 LoBi 10.32.0.0 1 10.32.0.0 10.32.63.255

32 10.39.192.0 10.39.255.255

5 SpencerMarks 10.40.0.0 1 10.40.0.0 10.40.63.255

32 10.47.192.0 10.47.255.255

6 WareHouseThe 10.48.0.0 1 10.48.0.0 10.48.63.255

32 10.55.192.0 10.55.255.255

7 SmithDick 10.56.0.0 1 10.56.0.0 10.56.63.255

32 10.63.192.0 10.63.255.255

8 LandLiquor 10.64.0.0 1 10.64.0.0 10.64.63.255

32 10.71.192.0 10.71.255.255

9 TexCal 10.72.0.0 1 10.72.0.0 10.72.63.255

32 10.79.192.0 10.79.255.255

10 RoosterRed 10.80.0.0 1 10.80.0.0 10.80.63.255

32 10.87.192.0 10.87.255.255

11 Headquarters 10.88.0.0 1 10.88.0.0 10.88.63.255

32 10.95.192.0 10.95.255.255

12 Unused 10.96.0.0 1 10.96.0.0 10.96.63.255

32 10.103.192.0 10.103.255.255

31 Unused 10.248.0.0 1 10.248.0.0 10.248.63.255

32 10.255.192.0 10.255.255.255

IP AddressingVLAN/Host Addresses

• Still have 14 bits available

• Much more than needed for number of hosts at each site

• Can use some bits for further subnetting – VLANs

• VLANs useful for security and decreased congestion

• eg. Accounting different VLAN to other departments

• Reduced traffic visibility to internal staff or hackers

• Able to develop firewall rules to provide further controls

• Reduces broadcast traffic – restricted to host on same VLAN

• Allocate 6 bits for VLAN Number – maximum 64 per site

• Remaining octet used for host ID – maximum 254 hosts per VLAN

IP Addressing – 10.x.x.xFurther Subnetting via VLAN

BU Outlet VLAN Host ID

• 10. 11111 111.11 111111. 11111111

IP Address for BU #1, Outlet #1, VLAN #1, Host #1?

• 10. 00001 000.01 000001. 00000001

• 10. 00001 000.01 000001. 00000001

• 10.1000.1000001.1

• 10.8.65.1

Further Subnetting – VLANs

Store Store VLAN VLAN VLAN VLAN

Name IP Number Name Net No. B/Cast

WaySafe No. 1 10.8.64.0 1 Reserved 10.8.65.0 10.8.65.255

2 Managers 10.8.66.0 10.8.66.255

3 Accounting 10.8.67.0 10.8.67.255

4 Other 10.8.68.0 10.8.68.255

63 Unused 10.8.127.0 10.8.127.255

User Requirements• 2 users per Small BU Retail Site

• Limited traffic, standard applications

• 20 users per Large Retail Site

• Moderate traffic, standard applications

• 20 users per Overseas Regional HQ

• Moderate traffic, standard, custom and ad-hoc applications

• 80 users per State Regional HQ


• 100 users per Corporate HQ


Corporate Objectives• Ensure functionality

• Match application requirements

• Infrastructure match for traffic requirement

• Minimise fixed and variable costs

• Lowest cost hardware

• Low maintenance costs

• Communications and data secure

• Traffic encrypted

• Secure data storage & regular backups

• Robust configuration/patching/upgrade management

• Maximise uptime

• Rapid problem resolution

• Scalability

Selected Technology – Small Retail• Thin client PCs

• Connected to corporate HQ via internet and SSL

• Applications executed remotely - virtualization

• Functionality

• Limited applications available via terminal server

• Low traffic requirement allows ADSL internet connection

• Cost

• Low cost hardware

• Ongoing Citrix Presentation Server licensing fees

• Claimed that support costs cut by 80-90% vs PC

• Security

• Data kept centrally and backed up

• Applications kept, patched, configured centrally

• SSL VPN connection, Unified Threat Management software

• Uptime

• Lower support requirement, all clients the same for sparing

• Extremely scalable

Small Retail Site or Mobile User

Request

Document

Thin Client or Mobile User

SSL Encypted VPN

SSL/Internet

Corporate HQ – Small RetailRegional HQ – Mobile UserVirtual Terminal Sessions

Selected Technology – Large Retail• “Smart Client” PCs

• Connected to Regional HQ via Leased Line with IPSec VPN

• Applications, data streamed from HQ - cached on local PC

• Reduced load on server and communications traffic

• Functionality

•Speed requirement met via leased line and local processing

• Cost

• Low cost hardware

• Ongoing Citrix Presentation Server licensing fees

• Low support costs

• Security

• Data kept centrally and backed up

• Applications kept, patched, configured centrally

• IPSec VPN connection, VLANs, Firewalls

• Uptime

• Lower support requirement, all clients the same for sparing

• Extremely scalable

Large Retail Site

“Smart” Client

Regional HQSoftware Streaming

Leased LineIPSec VPN

Large Retail Topology

Router

Switch

Leased LineHardware IPSec VPN

To Regional HQ

Workstation 3VLAN 10



Selected Technology – HQs• Full PCs

• HQs connected via Leased Lines with IPSec VPN

• Applications kept on local PC

• Data policies for use of local file server vs PC hard disk

• Functionality

• Custom and ad-hoc applications available

• Speed requirement met via leased line and local processing

• Cost

• Highest cost hardware

• Scale economies through centralised IT resource at HQ for support

• Security

• Data policies for use of local file server

• IPSec VPN connections, VLANs, Firewalls, DMZ

• E-Mail Server kept on DMZ at Corporate HQ

• Web Server kept on DMZ at Corporate HQ or hosted externally

• Uptime

• Centralised HQ support

• Scalability

• IP addressing to enable growth

Regional HQ Topology

Router

Switch

Servers IncludingVirtual Terminal Server

Laptop PCVLAN 30

Proxy Server

Router

InternetIncluding SSL VPNFrom Mobile User


From Large Retail




De-Militarized Zone

Corporate/Overseas HQ Topology

Router

Switch

Servers IncludingVirtual Terminal Server, Mail

Server, Web ServerLaptop PCVLAN 30

Proxy Server

Router


From Large Retail and Regional HQ




De-Militarized Zone

InternetIncluding SSL VPN

From Small Retail/Mobile

WorthWools – The Network

Internet

Corporate HQ 1 State

Region HQ

4 States

Overseas HQ2 Countries

Large Retail

12 per Region HQ IPSec VPN

IPSec VPN

IPSec VPN

Mobile User

Small Retail

Network TopologyAssignment 1 Link - Wireless

• No wireless at retail sites

• Not necessary for usage

• Wireless perimeter too physically close to public areas

• At headquarters allow wireless

• Able to roam between offices and meeting rooms

• Security implementation – 802.11i

• 802.1X EAP-TLS Authentication – Radius/Certificates

• AES Encryption

• Access Points central – limited signal beyond perimeter

• Rogue access point and intrusion detection sensors

Network TopologyReliability/Uptime

• Measures to consider for increased reliability/uptime

• Server mirroring

• RAID data storage

• Leased Line ISP reliability/redundant routing paths

• Failover to connections via internet

• DNS/Web Caching at regional HQs

• Mailbox servers at regional HQs – Gateway at corporate HQ

• Long DHCP lease periods at retail sites

Data Cabling Cost EstimateCable Lengths – HQ Floor

Office 1 Office 2 Office 3 Office 4 Office 5 Office 6

MDF

23m21m

21m

19m17m15m

19m17m15m13m

24m24m

23m23m

23m23m

20m20m

19m19m

19m19m

16m16m

15m15m

180m10pp

15m15m

348m18pp

10m

18m

Elevator

22m16m 12m 16m 18m 20m104m6pp

8m

11m11m

10m10m

9m9m

7m7m

8m8m

9m9m

48m6pp

7m1pp

60m6pp

755m47pp

16m pp

Data Cabling Cost Estimate• Cat 6 cable to hosts, host leads, wall connectors

• Existing cable needs to be removed ?

• Below floor or in ceiling ?

• Raceways and cable trays

• Multimode fibre backbone – laid, not pulled

• Cabinets, redundant power supplies, patch panels, patch leads

• Building modifications and cable shielding in certain places

• Labour cost – design, installation, testing and certification

• Varies Widely - use rule of thumb total cost of $300/connection

• Corporate HQ = 150 connections = $45,000

• Regional HQ = 100 connections = $30,000

• Large Retail Site = 20 connections = $6,000

• Small Retail Site = 2 connections = $600

Costs - Small Retail SiteNo. Equipment Up Front Per Annum

2 Thin Client PC $2,000 0

1 Juniper SSG20 ADSL Router and Unified Threat Mgmt $1,500 $100

1 ISP Connection 0 $500

2 Citrix Presentation Server Client $600 $80

2 Windows Terminal Server $1,500 0

1 Cabling $600 $0

1/15 HP ProLiant Server - 1U @ Corporate HQ $500 $0

1/15 Citrix Metaframe Server @ Corporate HQ $0 $500

Total $6,700 $1,180

Total Per User $3,350 $590

• Low up front cost due to basic PC

• Additional advantage of low ongoing support costs, stable platform

• Gartner estimate of annual cost of $8-10k annually for unmanaged PC

Costs - Large Retail SiteNo. Equipment Up Front Per Annum

20 Diskless Smart Client PC $20,000 $0

1 Juniper SSG140 Router with Hardware IPSec $4,000 $0

1 Leased Line to Regional HQ $0 $12,000

1 Cisco Catalyst 2900 24 port VLAN Switch $1000 $0

20 Citrix Ardence SmartClient Software $0 $3,000

1 Cabling $6,000 $0

1/12 Cisco 3060 100 Mbps VPN Concentrator @ Regional HQ $2,000 $0

1/6 Dell PowerEdge 2950 Server – 4.5 TB storage @ Regional HQ $500 $0

Total $33,500 $15,000


• Low up front cost due to basic PC and scale economies

• Low ongoing support costs, stable platform vs annual license fees

• Still very economical vs Gartner estimate

Costs – Overseas HQNo. Equipment Up Front Per Annum

20 Normal PCs $30,000 $0

1 Cisco 2800 Router $4,000 $0

1 Cisco 3060 100 Mbps VPN Concentrator See large retail $0

1 Cisco 2800 series Router $4,000 $0

1 Cisco Catalyst 2900 24 port VLAN Switch $1,000 $0

1 Cabling $6,000 $0

2 Dell PowerEdge 2950 Server – 4.5 TB storage See large retail $0

Total $45,000 $0

Total Per User (not incl NAS) $2,250 $0

• Higher up front cost – could be offset via hardware leasing

• Higher ongoing support costs due to additional application requirements

• Support costs will be high due to remote smaller HQ

Costs – Regional HQNo. Equipment Up Front Per Annum

80 Normal PCs $120,000 $0

1 Cisco 3845 Router $12,000 $0



4 Cisco Catalyst 2900 24 port VLAN Switch $4,000 $0

1 Cabling $30,000 $0

2 Dell PowerEdge 2950 Server – 4.5 TB storage see large retail $0

Total $170,000 $0


• Higher up front cost – could be offset via hardware leasing

• No client licensing fees after first year

• Higher ongoing support costs due to additional application requirements

• Costs, security contained due to concentrated HQ site

Costs – Corporate HQNo. Equipment Up Front Per Annum

100 Normal PCs $150,000 $0

1 Cisco 3845 Router $12,000 $0


4 HP ProLiant Server - 1U See small retail $0


6 Catalyst 2900 24 port VLAN Switch $6,000 $0

1 Cabling $30,000 $0

2 Dell PowerEdge 2950 Server – 4.5 TB storage See large retail $0

1 Dell PowerVault NX1950 - Corporate NAS/SAN $30,000 $0

Total $232,000 $0

Total Per User (not incl NAS) $2,020 $0

• Similiar to State regional HQ

• Additional costs due to central services – E-Mail Gateway, Web Site

• Central storage site

• SSL VPN Gateway for small retail sites

Total Up-Front CostNo. Type Unit Cost Total

60 Small Retail $6,700 $402,000

90 Large Retail $33,500 $3,015,000

2 Overseas HQ $45,000 $90,000

4 Regional HQ $170,000 $680,000

1 Corporate HQ $232,000 $232,000

Total $4,419,000

Total per User (2,380 users) $1,860

• Total first year cost of $ 4.5 million

• Up front cost reduced due to adoption of minimalist client philosophy

• Hardware leasing available if further cost smoothing preferred

• Inexpensive given size of organisation

Total Per Annum CostNo. Type Unit Cost Total

60 Small Retail $1,180 $70,800

90 Large Retail $15,000 $1,350,000

2 Overseas HQ $0 $0

4 Regional HQ $0 $0

1 Corporate HQ $0 $0

Total $1,420,800

Total per User (2,380 users) $765

• Annual costs higher due to licensing fees

• Small price to pay if promise of reduced IT visits by 80-90% results

• Lower support costs

• Higher uptime – revenue impact

Network TopologyTime to Roll Out

• Accelerated roll-out

• Minimalist Thin Client implementation at small sites

• Minimalist Smart Client implementation at large sites

• Option to pilot the configurations

• Identical implementations across Business Units

• Rapid roll out once one implementation type stabilised

• Total time for deployment dependent on budget

• For an organisation this large expected time circa two years

Documents

CPE 5013 Assignment Number 2 Network Administration Project