Upload
cisco-latinoamerica
View
896
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Presentación del Healthcare Industry Day en México. Consideraciones de diseño de red de grado médico.
Citation preview
Erick Ortiz
Healthcare Systems Engineer
Cisco Medical Grade Network 2.0 Campus Architectures
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Cisco Medical-Grade Network Goals
Protected
� Security for patient privacy and system availability
� Compliant with regulatory requirements
� Protection against security breaches
Interactive
� Facilitates Collaboration
� Enables application access
� Integrates data, voice, video and imaging
Responsive
� Network adapts to change and business/clinical needs
� Has ability to incorporate new technologies
Resilient
� Fault-tolerant and capable of business continuity
� No single point of failure
� Serves mission-critical needs
Cisco Medical-Grade Network 2.0
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
� Hierarchal designs
� No single pointsof failure
� Utilize in boxredundancy
� Optimize convergence
� Best practices mustadapt to unique healthcare requirements
Cisco Campus Architecture in Healthcare
SiSi
NAM
Intrusion Prevention
System
Network
Analysis ModuleNAC Server
Wireless LAN
Controller(s)
North Access 1
North Access 2
South Access 1
South Access 2
802.11n AP
802.11n AP
Portable
UltrasoundSmart Infusion
Pump
Clinical
Workstation
CT / MR
CoW
Medication
Administration Cart
RFID
TAG
7925G
Point of
Sale Device
Patient
Monitor
TelePresence
Nx 10G
Access
Distribution
Core
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi SiSi
complete
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Cisco MGN 2.0 Campus Design
Access
Distribution
Distribution
Access
Core
WAN
SiSi SiSi SiSi SiSi
Layer 3
stackable switches
VSS
Access
VSS
Distribution
VSS/Hybrid Core
SiSi SiSi
SiSi SiSi
WAN
Data Center 10Gbps Nexus
complete
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
MGN High Availability Campus Design
� Eliminate all singlepoints of failure
Implement hierarchicaldesigns
Utilize redundant chassisor smart stackable switches
� Redundant switchingand power fabrics
� In the box and network redundant services
� Utilized IGP protocols thatquickly detect faults andprovide sub-second failover
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi SiSi SiSi SiSi SiSi
WAN Internet
SiSi SiSi
Data Center
Redundant
Links
Redundant
Switches
Layer 3 Equal
Cost Link’s
Layer 2 or
Layer 3
Redundant
Supervisor
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Supervisor Redundancy Is Provided by Stateful Switch Over (SSO)
� Active/Standby supervisors run in synchronized mode
� Depending on platform, line card and protocol this incurs from 0 to 3 seconds of outage
� Switch processors synchronize Layer 2 and Layer2 / Layer 3 FIB, QoS and ACL tables
� Line cards with DFC are populated with Layer 2 / Layer 3 routing information and ACL tables
� Line card protocol status is maintained during failover reducing impact and improving clinical access
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Healthcare Campus Challenges
� Remember old days of flexibility, add/move and mobility promise?
� Spanning VLAN solved that and created some more problems of
Stability
Response times
Inefficient use of resources
Managing end host behavior
Age Old Problem
Historically —A Compromise
L2
SiSi SiSi
VLAN 10 VLAN 10 VLAN 10
Core
VLAN 20 VLAN 20 VLAN 20
Looped TopologyAll VLANs spans All Access-switches
Core
SiSi SiSi
VLAN 10 VLAN 20 VLAN 30
L3
VLAN 110 VLAN 120 VLAN 130
Loop Free TopologyVLAN = Subnet = Closet
� Do not span VLANs.
� No Loops no underlying threat to the
network
� Solution gave up critical need of not able to
span VLANs.
� However, in many healthcare deployments,
clinical and biomedical devices requires
vendor dedicated VLANs
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Virtual Switching
� Solving the same olddesign problem and yet not loose the benefits of stability and mobility
� Virtual Switching allows elimination of loops in the network, while allowing for spanning of VLANs VLAN 10 VLAN 10 VLAN 10
Core
VLAN 20 VLAN 20 VLAN 20
VSS Enabled Loop Free Topology
VLANs spans Access-switches
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Virtual SwitchVirtual Switching System 1440 (VSS)
� Virtual Switching System consists of two Cisco Catalyst 6500 Series defined as members of the same virtual switch domain
� Single control plane with dual active forwarding planes
� Design to increase forwarding capacity while increasing availability by eliminating STP loops – a loop-free topology
� Reduced operational complexity by simplifying configuration
VSS —Single Logical Switch=Switch 1 + Switch 2
Virtual Switch Domain
Virtual Switch Link
SiSi SiSi
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
VSS Enabled Healthcare Campus Design End-to-End VSS Design Option
SiSi SiSi
SiSi SiSi
SiSi SiSi
RR
R
R RR
STP-based Redundant Topology R = STP Blocked Link
Fully Redundant
Virtual Switch Topology
complete
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Three Options for Multi-Chassis EtherChannelDesigns to Remove Spanning Tree
Virtual Port Channel
� Separate control plane
� Separate management plane with VPC state synchronization (CFS)
� Redundant supervisors per chassis with hitless SSO
� Manual port sync config (DataCenterNetworkMgr)
� Local SVI HSRP/PIM forwarding enhancements to act as active-active pair
Virtual Switching System
� Single control plane
� Single management plane
� Single supervisor per chassis
� Automatic port config sync (single control plane)
� Single L3 domain (single SVI) no need for FHRP
SW2SW1
VPC peer-link
VPC FT-Link
Stackwise+
� Single control plane controlled by Master Switch
� Master switch controls etherchannel
� Redundant master switches per stack
� Automatic port configsync (single control plane)
� Stack appears as a single router, no need for FHRP
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Campus Design Option: VSS
Key Benefits to Healthcare Providers
� Eliminates complexity of Spanning Tree Protocol and prevents potential for loops in network.
� Faster failover by eliminating need for gateway redundancy protocols (HSRP, VRRP, GLBP)
� Simplified network management (less links/configuration, fewer operational points)
� Conserves bandwidth (no unicast flooding, MEC optimizes number of hops
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Environmental Considerations
Cooling� Examine BTU
generation compared to HVAC systems
� Redundant HVAC chillers on separate power
� Consider rRack design for front to back vs side to side airflow
Monitoring� Use 802.11 based
thermal & humidity monitoring
� Implement smart building technologies (Cisco Connected Real Estate) for power and cooling monitoring
� Track battery health for localized UPS devices
� Utilize under floor water detectors
Physical Security
� Monitor and maintain access to IT infrastructure
� Log access to key distribution areas
� Utilize video surveillance
� Take precautions to prevent unauthorized access and prevent data loss
Power� Separate grid based
power feeds
� Building based Backup Generator Power
� Localized UPS Power especially for PoEdeployments
� Redundant Power Supplies
Cisco Medical-Grade Network 2.0
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Biomedical Devices Considerations in CampusRequirements
� Traffic Flows VaryPatient monitors: Small (300 byte), but frequent (4x/sec) broadcasts, multicasts or unicast(vendor-specific)
IV pumps: Formulary and firmware updates are usually small and not a daily occurrence
Biomedical devices often communicate back to central monitoring station
� SLA Requirements
Prevent < 50ms jitter
Maintain < 20msconnectivity loss from patient monitor to central station
� Unique Layer 2 and Layer 3 requirements
Many vendors require separate parallel Layer 2 VLANs
Layer 3 and multicast functionality may be limited
� Path Isolation may be required
Patient MonitorsProvides real time
monitoring of vital signs
(blood pressure, oximetry
etc) on continuous basis.
May connect to central
station
Infusion (IV) Pumps Administers medication to
patients and requires
formulary and drug library
updates on an intermittent
basis.
Patient
Monitors
IV
Pumps
Portable Radiology
DevicesConnects to the RIS and
PACS system.
Radiology
Devices
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Biomedical Devices Path Isolation Options
� Generic Routing Encapsulation (GRE) Tunneling
Create Closed User Groups
� Virtual Routing and Forwarding (VRF-lite)
Lightweight
Single routing device
� Multiprotocol Label Switching (MPLS)
Cisco Catalyst 6500
� Overlay Transport Virtualization (OTV)
Emerging Technology in Data Center
SSID Vendor A
VLAN10
SSID Vendor B
VLAN30
VLAN10
VLAN30
Vendor B
Central Station
Central
Station
Campus
Network
For More Information: http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html
SiSi
SiSi
Path Isolation
Options
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
IEC 80001: Application of risk management for IT-networks incorporating medical devices
� IEC-80001 is a voluntary international standard, dealing with risk management of IT networks incorporating medical devices
� Provides framework for the “Application of risk management for General purpose IT-networks incorporating medical devices”
� Three “Key Properties”—Safety, Effectiveness, Data and System Security
� Four supplementary documents or Technical Reports (TR’s) in development:
Wireless Guidance
Healthcare Delivery Organization (HDO) Step-by-Step guide
Security Guidance
HDO Implementation Guidance
Medical IT-Network
Planning and
Operation
Biomedical
Devices
IT Infrastructure
Vendor
Biomedical Device
Vendor
Responsible Organization
(HDO)
IEC-80001-1
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Medical Grade NetworkQoS Classifications
Application ClassPer-Hop
BehaviorQueuing and Dropping Medical Applications
Network Control CS6 BW Queue
VoIP Telephony EF Priority Queue (PQ) Constant Bit Rate Biomed Feeds
Broadcast Video CS5 (Optional) PQ
Realtime Interactive CS4 (Optional) PQ Cisco Healthcare, Telepresence
Multimedia Confrencing AF4 BW Queue + DSCP WREDCisco Unified Personal
Communicator
Multimedia Streaming AF3 BW Queue + DSCP WRED *Biomedical Telemetry Steaming
Call-Signaling CS3 BW Queue
Ops/Admin/Mgmt (OAM) CS2 BW Queue
Transactional Data AF2 BW Queue + DSCP WRED*Biomedical Devices, Critical
Apps, WebEx
Bulk Data AF1 BW Queue + DSCP WRED PACS, Large File Apps
Best Effort DF Default Queue + REDBack Office, Archiving, Patient
Records
Scavenger CS1 Min BW Queue (Deferential) Guest Traffic
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
For More Information: http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND_40/QoSCampus_40.html
QoS Boundaries
� Summary of trust, marking, policing and queuing boundaries
� Correct Trust and Markings at Access
� Interswitch links in Campus will trust DSCP markings
� Perform Policing and Queuing where appropriate Conditionally
Trusted Endpoints
Trusted
Endpoints
Conditionally-Trusted Endpoint Port QoS:
� Conditional-Trust with Trust-DSCP
� [Optional Ingress Marking/ Policing]
� 1P3QyT Queuing
Switch-to-Switch/Router Port QoS:
� Trust DSCP
� 1P3QyT or 1P7QyT Queuing
Untrusted Endpoint Port QoS:
� No Trust
� [Optional Ingress Marking/ Policing]
� 1P3QyT Queuing
Trusted Endpoint Port QoS:
� Trust-DSCP
� [Optional Ingress Marking/ Policing]
� 1P3QyT Queuing
Access Distribution CoreUntrusted
Endpoints
complete
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Campus Voice and Collaboration Considerations
� In Order to Provide Optimal Patient Care, Collaboration Among Caregivers is Essential
� Due to the Critical Nature of the Collaboration both the Campus Infrastructure and the Collaboration Systems Must be Constantly Available
� The Diversity of Caregivers Requires that a Wide Range of both Wired and Wireless Endpoints Must Be Supported
ChallengesThe Connected Health Community
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
For More Information: http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html
Campus Voice and Collaboration Considerations � Power over Ethernet
Switches
End Points
� Voice over WLAN
VoWLAN QoS
Multicast
� Unified Communication
UC Manager Resiliency
Security
Session Manager Edition
SRST
PoE Devices
IP Phone Portfolio
complete
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Rapid Fault Isolation
SiSi
SiSi
Access
Distribution
Core
SiSi
SiSi
SiSi
SiSi
NA
M
Intrusion
Prevention
System
Network
Analysis Module
NAC Server
Wireless LAN
Controller(s)
North Access 1
North Access 2
South Access 1
SiSi
South Access 2
SiSi
802.11n
AP
802.11n
AP
Portable
Ultrasound
Smart
Infusion
Pump
Clinical
Workstation
CT / MR
CoW
Medication
Administration CartRFID
TAG
7925G
Point of Sale
Device
Patient
Monitor
TelePresence
Nx
10G
Challenges
� Healthcare Networks are Critical to Patient Care
� Network Failure Could Critically Impact Patient Care
� The Network Should Be Designed for Maximum Up Time, but Even the Best Design Can’t Guarantee 100% Uptime
� Provisions Should Be Made So That When a Fault Occurs, It Can Be Isolated and Corrected in Minimal Time
complete
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Rapid Fault Isolation
Fault Identification and Isolation may be achieved using a number of standard and Cisco provided tools
� First Failure Analysis
Monitoring applications like Syslog, SNMP, Netflow and XML can identify persistent Network Problems
� Cisco.com Tools
A number of tools are available on Cisco.com that identify know problems and notify customers of critical issues, assist in the interpretation of error outputs and messages, and automatically notify TAC when a problem occurs
� IOS Tools
Features are built into IOS to both proactively manage issues
(like EMM and MLS Rate Limit) and to assist in isolating
problems (like SPAN, RSPAN and ERSPAN)
� Cisco Remote Management Services
Cisco Data Center Remote Management Services provide comprehensive monitoring and management of your data center infrastructure 24 hours a day, 365 days a year
0
2
4
6
8
10
12
14
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52
samples
load [%]
Smart Call Home
Netflow Results
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Rapid Fault Isolation
� Hardware Features
Features incorporated in hardware (like TDR line cards and power management) assist in isolating problems and optimizing system performance
Features like Core Dump, SEA, and OBFL provide information for troubleshooting and failure analysis
� Cisco Advanced Services
AS offers a range of services that enhance network performance and minimize down time ranging from Bug Scrub to Code Recommendations to Network Analysis and Optimization to Remotely Managing the Network.
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
MGN 2.0 Campus Summary
� Increasing usage of clinical and non-clinical applications within Campus
� Healthcare Applications Requirements
High Availability
Supports Medical Devices and Mission Critical Clinical Applications
Change Management
Enhance patient experience
� Cisco Medical Grade Network 2.0 - Campus architectures outlines best practices to build a resilient, protected, interactive, responsive network.
© 2010 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25