Architecture Reseau 2

Home , LAN party

Network Architecture Case Study

June 2008

Network Architecture Case Study

Amal Balfoul | Amir Jafari Jean-Philippe Kakou-Marceau | Kamel Sahli

| Juin 2008 1

Network Architecture Case Study

Content

Context

Chapter 1. Network Infrastructure & Strategy Choices

1. Architecture LAN 2. Architecture WAN 3. IP Addressing Plan & allocation process 4. Security 5. Storage 6. Cabling system

Chapter 2. Services 1. Toip 2. Directory 3. DNS 4. SMTP 5. Intranet & Extranet

Chapter 3. Deployment and Budget

1. Deployment 2. Global Cost

Conclusion

| Juin 2008 2

Network Architecture Case Study

Context

| Juin 2008 3

Network Architecture Case Study

This study case aims to describe how big company’s network infrastructure can be built. In our case, we have a headquarter building with 1000 employees, composed of 10 floors and one basement. In addition, we have 10 agencies in France with 50 employees per agency.Our aim is to define the network architecture to rely all the agencies and the headquarter.

We have to define all these technology:

LAN & WAN architecture IP addressing plan LAN & WAN architecture SAN/NAS LAN interconnection ToIP Security: FireWall, strategy, … Services: DNS, SMTP, Intranet/Extranet Cabling system Server & backup equipment hardware definition Global cost Deployment schedule

We are going to show in three parts how we can do for managing architecture conception. In the first part, we will talk about the network infrastructure, which is composed of the LAN, the WAN, IP addressing Plan... Talk about security strategy, storage and cabling system. In the second hand, we will talk about services, how does it run? Which kind of services we can find? And finally, we will talk about deployment and global cost. How does the infrastructure cost? How many times do we need to manage this?

| Juin 2008 4

Network Architecture Case Study

Chapter 1 Network Infrastructure & Strategy Choices

| Juin 2008 5

Network Architecture Case Study 1. Architecture LAN

| Juin 2008 6

Network Architecture Case Study We started by dividing our architecture in different segments. First we turn to the sum Head Quarter. Our Head Quarter has 10 floors and a basement. On each floor there are 100 posts, with a shift of 10% over 5 years, a total of 1100 posts over 5 years. It is therefore also 100 telephones per floor and 10 more PC expected on 5 years. Either a total of 1100 posts IP telephone.

We chose to set up the phone connected to the switch directly, and the PC connected to the IP phone. On the one hand we are an economy in the number of ports used on the switch and the other, as we have taken POE phones, there is an ease of installation near the PC phones. These IP phones are Cisco 7940G. The distribution takes place through 3 switches arranged in a stack on each floor, or a total of 30 interconnected switches between them GigaEthernet.

The switch stack is a set of independent switches at the base that interconnects on a specific interfaces owners broadband in order to administer them as one and especially not to make only one bridge spanning tree level, as there is no spanning tree inside a stack, the forwarding table is common stack, one can not return a frame received on a port to the interior of the stack. The establishment of a stack with these connections requires that the owner switches are glued physically. In fact the setting stack allows for a switch with about 150 ports, hence a high-density concentration of stack cords are usually 1 meter maximum. We also chose the stack where a switch fails, and that this is not the master, ports remaining stack of continuous work.

The first master switch is connected to the heart of the 1st switch network, which allows the distribution cascading switches on each floor. We decided to establish a switch Back-up if the switch nominal falls, the Back-up takes his place. This switch Back-up is linked to the 3rd floor of each switch. The heart switches networks are connected to Gigaethernet switches on each floor. 2 These switches are also distributed on the NAS, as before, there's the same Back-up. These switches are connected on different application servers, which themselves are connected to the hard disk. 2 These switches are connected to the firewall. We decide to put up a firewall in back to back because there is only the external interface of the external firewall contains routable IP addresses.

With this architecture, the web server or publishing is used to allow traffic to access external servers in the perimeter network. Web publishing or server is also used to allow perimeter network servers to access servers on the internal network. Protocol rules are used to allow outbound traffic from either the perimeter or internal network.

There is therefore 2 DMZ, an internal or we place on 2 internal DNS servers, severs TOIP, Radius, Intranet… In the DMZ external we put the Extranet 2seveurs external DNS, DHCP server…. We chose this architecture for optimal security of the LAN party. We asked a router to router for our backup if there is a blackout on the main router.

| Juin 2008 7

Network Architecture Case Study

For the agency we have a router with its Backup. On this router, we have the function ASA, with a firewall, and a DHCP relay for each agency. As like each floor, we have IP phones. Indeed, we have 50 IP phone and 10% more on 5year, so we have 60 IP phone. We use the same connection as like each floor of the head quarter. We have 2switch in stack, the 2sxitch are connected to the IP phone, with the technology POE, and the PC are connected to the IP Phone correctly.

2. Architecture WAN

To connect our 10 agency LANs to the Headquarter, we decided to appeal to a telco. After having study the market, we chose the Neuf Cegetel offer, called 9IPNet, a VPN IP MPLS solution presented as responding to exchanging information, communicate with employees, go to internal applications and Intranet, surfing on the Internet… in safety!

9IPNet MPLS IP VPN is a last generation network offering :

- A range of broadband access 100% guaranteed to connect the LAN agencies sites in France and abroad if wanted with rate up to hundred Mbps depending on the type of traffic, bandwidth needs, subject to eligibility and availability - A secure Internet access and related services if wanted (firewall, mailboxes collaborative, domain names….) - The ability to prioritize feeds, and adapt to the information system through the different Class of Service (CoS) available according to the profile of the sites - Contractual SLA - Options security adapted to the criticality of the sites with commitment to quality service : guaranteed rate, Time Warranty Delivery (GTL), Time Warranty Recovery (GTR 4 hours), Time Warranty Availability (GTD) - A solution to access secure for broadband situation mobility through 3G+, 3G, GPRS, WiFi, UMTS - The real-time monitoring of the contract via the Extranet Clients (billing, traffic reports, deployment following…)

The benefits for EXAMPLE are :

- A core IP network performance with a rate of annual availability of 99,995% - Commitments quality of service strengths - Management of the access router included - A service dedicated Business Clients, and technical assistance 24h/24 and 7d/7 - A single interlocutor, which manages access for employees, applications and Internet safely on site from their homes or on the move

| Juin 2008 8

Network Architecture Case Study - Escort services optimized to follow the evolution of the network, establish performance reports - A network ready for a smooth migration to ToIP

To connect the Headquarters to the 9Cegetel MPLS network we choice a leased line at 144Mbps, with redundancy, and also a RNIS rescue link is included, and for the LAN agencies, a SDSL link at 8Mbps.

SDSL for Symmetric Digital Subscriber Line is a method of transmitting data guaranteeing a rate identical in both directions, from user post to the network infrastructure (or upstream canal) and vice versa (downstream canal). That’s why we chose SDSL technology whereas ADSL.

And if the sites can’t be served by terrestrial infrastructure, it remains links by satellites, whose speed can go up to 45 Mbit/s.

To connect the nomad people to EXAMPLE VPN from a distant portable PC, we have a multi-access connexion permitted via 3G+, 3G, EDGE, GPRS, UMTS, WiFi or RTC access. Those connexions are systematically secured with IPSEC. A tool kit, SIM Card, PCMCIA card or express card are provided.

| Juin 2008 9

Network Architecture Case Study

How does IP VPN MPLS work?

MultiProtocol Label Switching (MPLS) is a mechanism for transporting data, operating on the layer of data link of the OSI model, at layer 2, therefore below protocols like IP. It was designed to provide a unified service for transporting data for customers using a commutation packets process.

One of the most important applications of MPLS protocol is to create Virtual Private Networks, VPN. A VPN is a set of sites of a client that are interconnected together from a shared network infrastructure and who are not aware of the presence of any other sites, of another company client which are also connected to this infrastructure.

To create customers VPNs, it is therefore necessary to isolate the flow of each client. To do that, the MPLS label consists of not more than one label (as defined for the basic MPLS use ; RFC 3031) but 2 labels: the first label (outside) identifies the path to the LSR destination, and changes each hop, the second label (interior) specifies VPN ID assigned to the VPN and is not changed between the LSR source and destination LSR. It is the source LSR applying these labels 2 packet data when a VPN is used:

Exterior label Interior label data (IP paquet)

identifie the identify a VPN destination

| Juin 2008 10

Network Architecture Case Study The different components of the IP MPLS VPNs are:

- CE router (Customer Edge router) : router connected to the customer via an IP backbone access service (LS, PVC FR, ATM…). It forward in IP, the traffic between the customer site and the IP backbone.

- PE router (Provider Edge router) : router backbone of which are connected periphery of the EC. It’s at this level than is declared the EC to belong to a given VPN. The EP's role is to manage the VPN, cooperating with other PE and switching the frames with P.

- P (Provider device): router or switch heart of backbone inc charge of the commutation of MPLS frames.

| Juin 2008 11

Network Architecture Case Study The management of VPN in the backbone is provided by the operator through the PE. Each PE associates, statically, a VRF (Virtual Routing and Forwarding Table) also called LIB (Label Information Base) in the standard MPLS, at each of its user interfaces. The VRF is a routing table associated with a VPN that will give the routes to IP networks belonging to the VPN.

Each VRF is filled locally by the EC attached to the interface of the VRF. To specify IP networks it deserves, the EC uses, when there are less than 5 IP networks, static routing process, and for more than 6 IP networks, the dynamic routing protocol e-BGP, to avoid to have too many roads to treat. The affiliated EP affects a local label to each of its IP networks and stores them in its forwarding table.

Then he announced the membership of its IP VPN networks, their label and their local attached PE to all the EP of the backbone (This local label identifies the VPN which owns the IP network). To that end, it transmits relevant informations to all PE thanks to the protocol MP-iBGP (Multi-Protocol BGP extension, RFC 2283). Only PE serving EC belonging to the same VPN capture this information to store them in the VRF associated to the VPN and to update their forwarding table.

It permits to the EP supporting the same VPN to know all networks IP members of the VPN, through the VRF, and their local label and their affiliated PE .

The internal routing protocol in the backbone is activated on the PE and the P of the shared IP backbone. It permit to assure the IP connectivity between the P and the EP of the backbone and then setting session LDP (Label Distribution Protocol, RFC 3036) between the different components of the backbone.

By exchanging MPLS labels, the LDP protocol affects an MPLS label to each section of each best route of the backbone (routing meaning) and built a forwarding MPLS labels table in each router of the backbone. Once the forwarding tables updated, the backbone doesn’t use the routing tables for IP traffic.

Note that for the PE, the forwarding table contains, in addition to the MPLS label, the information relating to IP networks announced by the EC. This information is filled with the | Juin 2008 12

Network Architecture Case Study protocol MP-iBGP : remoted CE, PE with which the EC is connected, and the local label.

When the incoming EP entry receives an incoming IP packet from an EC, the EP identifies the VRF associated to the input interface. If the EP doesn’t find the destination in the VRF, it rejects the IP packet entering because the destination doesn’t belong to the same VPN as the IP origin network.

If the IP origin and destination networks are part of the same VPN, the incoming EP consults its forwarding table to find the local label associated to the destination and the MPLS label associated to the PE of destination. The EP encapsulates the IP packet entering in a MPLS frame indicating in 2 successive headers, the MPLS label and the local label. The MPLS frame is then switched by the backbone based on forwarding tables until PE destination.

The value of MPLS label is changed every P router crossed until PE destination, whereas the value of the local label is not treated by the P: the local label is carried transparently by the IP backbone until PE destination. From local label, the PE find looking at its forwarding table the output interface associated to the destination, the disencapsuled IP from the MPLS frame and forward it to the destination.

| Juin 2008 13

Network Architecture Case Study

3. IP Addressing Plan & allocation process

An IP address contains 32 bits, has a network part and a host part. The attributed address is 10.16.0.0/15, and depending on the RFC1918, it’s a private address. A such address can access the Internet world, because the access router drops them. This means that we will have to think to do a translating address before going out of our private network.

In 10.16.0.0/15, the /15 means that the network part is using the 15 first bits. So we have 17 bits reserved for the host part, either 2^17=131 072 host addresses possible. We don’t need so many addresses! Only almost 3000 addresses are needed. It will be an inutil mess to make addressing plan without subnetting. Moreover, this address isn’t in adequation with the first denomination of address classes : A, B, C, D and E. Indeed, when we look at the value of the first byte, we can say that it’s a class A address. But this class has a network mask in /8 and no /15 as indicated here. That is to say, we have a classless address given and to make our address plan, we are going to subnet, and use Variable Length Subnet Mask (VLSM).

VLSM is a kind of addressing process to reduce IPv4 penury (RFC 1878). It was developped to permit to multiply level of subnetting in a unique network, that is to say, the network mask doesn’t « remains frozen ». So we can use various sub-network mask in the same network. In other words, we subnet a subnet. This technique will increase addressing efficacity and will permit to do « route summarization ». Note that VLSM is used only in an intern network. VLSM is supported by the most known protocols like RIPv2, OSPF, BGP4, EIGRP. (pas RIPv1 ni IGRP, EGP ou BGP3 qui sont des classful protocols). As we sayed previously, the network part includes the first 15 bits. By putting at one those bits we obtain the network mask 1111 1111 . 1111 1110 . 0000 0000 . 0000 0000 which is corresponding in decimal notation to 255.254.0.0 With such address mask, we can find the last address we can use. The IP address given in binary is 0000 1010 . 0001 0000 . 0000 0000 . 0000 0000. We put at 1 the 17 bits of the host part, either 0000 1010 . 0001 0001 . 1111 1111 . 1111 1111, or in decimal 10.17.255.255

So the address range we have is 10.16.0.0 to 10.17.255.255. We can have 2^7= 128 subnets, 7 being the number of extended bits, ie, the number of bits beyond of the classful part.

We will do a subnetting taking into account the number of sites and the numbers of hosts per site. To begin, we have 10 agencies and a headquarter, so we will have 11 subnets. For the headquarter, we need at least 2300 IP addresses : - 1000 hosts, 2 IP addresses per host, one for the PC and the other for the IP Phone - 50 IP addresses for printers and faxes - 30 IP addresses for network equipment as servers or routers.

| Juin 2008 14

Network Architecture Case Study And considering the growth of 10 % in (number of year) the number of hosts in the company, we reserved 12 bits for the host part because with 12 bits, we have 2^12=4096 possible address (in fact 4094 because considering the RFC 950, for broadcast and network address we have to apply the formula 2^n-2 to have the possible IP addresses). So, the network part contains 20 bits. The network address is 10.16.0.0/20; and the subnet mask is 255.240.0.0. As explain previously, with a /20 subnet mask, the next subnet will be 10.16.16.0.

We preferred to keep a range of addresses free before reserving the part of the agencies and will begin reserving addresses for the ten local sites at 10.16.30.0. If the client wants to have a subnet by floor, it is possible to subnet this subnet. It is also possible to separate virtually, data traffic and voice traffic by establish Virtual LANs.

For agencies, we need at least 150 IP addresses per agencies: - 50 hosts, 2 IP addresses by host, one for the PC and the other for the IP phone - 5 IP addresses for printers and faxes - 5 IP addresses for network equipments like routers and servers.

And considering the increase, we reserved 8 bits for the host part, having 254 IP addresses possible (2^8-2=254). So we have the host part on 8 bits and the network part on 24 bits, ie, for the first agency, the IP address is 10.16.30.0/24 with the subnet mask 255.255.255.0. The next agency will have the IP subnet address 10.16.31.0/24 and so on.

| Juin 2008 15

Network Architecture Case Study

Subnet Number Number Number Subnet Subnet mask First IP Last IP Broadcast considered of IP of bits of bits address address address address addresses for the for the required network host part part Headquarter 2300 20 12 10.16.0.0/20 255.255.240.0 10.16.0.1 10.16.15.254 10.16.15.255 Free 10.16.16.0 10.16.16.1 10.16.29.255 addresses range Agence 1 150 24 8 10.16.30.0/24 255.255.255.0 10.16.30.1 10.16.30.254 10.16.30.255 Agence 2 150 24 8 10.16.31.0/24 255.255.255.0 10.16.31.1 10.16.31.254 10.16.31.255 Agence 3 150 24 8 10.16.32.0/24 255.255.255.0 10.16.32.1 10.16.32.254 10.16.32.255 Agence 4 150 24 8 10.16.33.0/24 255.255.255.0 10.16.33.1 10.16.33.254 10.16.33.255 Agence 5 150 24 8 10.16.34.0/24 255.255.255.0 10.16.34.1 10.16.34.254 10.16.34.255 Agence 6 150 24 8 10.16.35.0/24 255.255.255.0 10.16.35.1 10.16.35.254 10.16.35.255 Agence 7 150 24 8 10.16.36.0/24 255.255.255.0 10.16.36.1 10.16.36.254 10.16.36.255 Agence 8 150 24 8 10.16.37.0/24 255.255.255.0 10.16.37.1 10.16.37.254 10.16.37.255 Agence 9 150 24 8 10.16.38.0/24 255.255.255.0 10.16.38.1 10.16.38.254 10.16.38.255 Agence 10 150 24 8 10.16.39.0/24 255.255.255.0 10.16.39.1 10.16.39.254 10.16.39.255

| Juin 2008 16

Network Architecture Case Study IP address allocation process

The simplest way to attribute an IP address to more than 3000 machines is to use a dynamic process with DHCP. DHCP means Dynamic Host Configuration Protocol. It is a protocol that allows a computer connected to a network to obtain dynamically network configuration. We have only to specify on the computer to find a single IP address via DHCP. The main aim is simplifying the administration of a network.

Firstly, we have to define a DHCP server that distributes IP addresses. This machine will serve as a basis for all requests DHCP, and have a static IP address.

The computer equipped with TCP/IP, but doesn’t have IP address, broadcast by sending a datagram (DHCP DISCOVER to locate DHCP servers available), which is aimed at port 67 on any server listening on this port. This datagram contains, among other physical address (MAC) of the client. Any DHCP server having received this datagram, is able to propose an address responding to the DHCP DISCOVER by a DHCP OFFER on the network that owns the client, diffuse a DHCP offer to the client (on its port 68), identified by his physical address. It is possible that several offers were sent to the customer.

The customer retains one of the offers received (the first to succeed him), and broadcasts on the network a request datagram DHCP (DHCP REQUEST). This datagram contains the server's IP address and one that has been proposed to the customer. Its effect is to ask the server chosen the assignment of this address, sending potential values of parameters, and to inform other servers that have made an offer that it was not accepted.

The DHCP server chosen develops a datagram acknowledgment (DHCP ACK), which assigns the customer's IP address and subnet mask, IP address of the default gateway and any optional parameters, the duration of the lease of this address (to optimize network resources), with two values, T1 ( the time after which the client begins to ask periodically renew his lease with the server that gave him his address (commonly half the length of the lease) and T2 ( the deadline at which the lease is not renewed). that determine the behavior of the client at the end of the lease. Similarly, when the server will reach a lease term, it will issue a package DHCPNAK to ask the customer if it wants to extend its lease. If the server does not receive a valid response, it makes available IP address.

When the DHCP server and the clients are not on the same Ethernet segment, the DHCP REQUEST fails because the routers don’t transmit broadcast and drop them. It is the case for our agencies. To resolve this issue we will use a DHCP relay agent. This particular host is configured with a static IP address, and knows the address of the DHCP server of the Headquarter. This relay agent will transmit DHCP requests which come previously on its port 68 to the DHCP server which will answer to this request. After having received the answer from the DHCP server, the DHCP relay agent will broadcast on its segment (where is also the client asking for an IP address) the answers he receives from the DHCP server.

| Juin 2008 17

Network Architecture Case Study

4. Security

First we decided to use configuration with DMZ. Indeed, the main advantage of implementing a DMZ instead of just using a firewall is that the risk to the internal servers is reduced because the public servers and internal servers are separate from each other .The advantage of this solution is to add an additional layer of security to an organization's Local Area Network (LAN) then an external attacker only has access to equipment in the DMZ, rather than the whole of the network. By considering the use of DMZ in term of security, we decided to put 2 DMZ: • The external containing servers which have to be linked to the exterior network as Extranet server, Mail server and DHCP server. • The internal DMZ with server as Intranet and DNS, Directory and TOIP server. After that, we had the choice between a trihomed DMZ and the Back to Back one, we decided to choose the last configuration because it’s the most secure solution. Indeed, the first firewall (the” front-end" firewall) must be configured to allow both traffic destined for the DMZ as well as traffic for the internal network. The second firewall (called "back-end") must be configured to only allow traffic destined for the internal network that is originating from the DMZ. The first firewall must be able to handle a much larger amount of traffic than the second firewall.

The figure explains the principle of Back to Back perimeter network:

| Juin 2008 18

Network Architecture Case Study

Choice of the firewall Cisco ASA 5520

We need a state full firewall. This type of firewall keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.

• The Cisco ASA 5520 Adaptive Security Appliance delivers security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks in a modular, high-performance appliance. • It's contains four Gigabit Ethernet interfaces and support for up to 100 VLANs, • Easy to deploy. • Take into account VPN services to provide access to any user to any location. • Cisco ASA 5500 Series delivers content security services including: • URL filtering, anti-phishing, anti-spam, antivirus, anti-spyware, • and content filtering - which can help lower operations costs, reduce • Reliability, and improve employee productivity.

The Cost is around 6000 euros.

Antivirus About the antivirus and antispyware protection, we considered that the workstations have already a protection: Symantec Endpoint Protection 11.0.

5. Storage

Technology

We had to choose between three types of technologies for our system of storage: DAS, NAS and SAN.

The DAS solution (Direct Attached Storage) is a non-centralized solution : Each workstation is linked directly to an allocated space of disk. This solution has obvious drawbacks: - Firstly, this solution is not a centralized solution contrary to the architecture we have chosen for the client. (Indeed, the data of agencies are directly stored in the LAN of the headquarter). - This solutions needs many points of administration.. - The space of storage is limited and can’t evolve by for example adding disks. Generally, it’s a fixed space of storage. - This solution can provoke problems linked to the saving system.

| Juin 2008 19

Network Architecture Case Study

Network storage solutions:

The NAS use the LAN to be deployed contrary to the SAN which is a dedicated network to storage with his own architecture essentially based on Fiber channel.

Differences between NAS and SAN NAS SAN Almost any machine that can connect to Only server class devices with SCSI Fibre the LAN (or is interconnected to the LAN Channel can connect to the SAN. The through a WAN) can use NFS, CIFS or Fibre Channel of the SAN has a limit of HTTP protocol to connect to a NAS and around 10km at best share files.

A NAS allows greater sharing of A SAN addresses data by disk block information especially between disparate number and transfers raw disk blocks. operating systems such as Unix and NT: Interoperability

Global client access Isolated from a global client access File System managed by NAS head unit File System managed by servers

Easy to deploy Complex to deploy

| Juin 2008 20

Network Architecture Case Study This simple figure explains the difference of architecture band NAS between SAN:

Plusieurs critères nous ont poussés à choisir l’architecture NAS :

- Cost : NAS is cheaper than SAN architecture. - Interoperability : NAS can support Linux and Windows OS. - Capacity of storage in accordance with client’s needs. - Reliability : redundancy of the data allows the data to be restored in case of crash. ( Use of Raid 5) - Deployment more simple than SAN - Scalability

Type of Disk

We decided to use RAID 5 Technology with our NAS server. A RAID 5 array requires a minimum of three hard drives of equal size as well as a hard drive controller than supports it. To maximize performance, we choose drives of the same make and model. The two principal advantages of RAID5 are that it combines the advantages of RAID of RAID0 in terms of performance and RAID1 in term of reliability: - Data transactions are very fast (propriety of RAID 0). - Reliability: In case of crash, allowed by the redundancy of data.(propriety of RAID 1). Raid 5 can sustain the failure of one disk.

| Juin 2008 21

Network Architecture Case Study Deployment We chose to allocate a storage capacity equivalent to 20 Go per user, then, for the 1700 workstations (1500 +company evolution in term of human resources) we take in account a global capacity of 40 to.

Choice of the equipment

We decided to choose a EMC solution, Celerra NS80:

Storage capacity scalable up to 60To. Optimized for multi-protocol environments without SAN infrastructures Centralized management Reliability of the solution Largely deployed EMC Celerra NS80 is a standalone, storage system optimized for multi-protocol environments without SAN infrastructures. Celerra NS80 combines network-attached storage (NAS) and iSCSI consolidation in one integrated package.

Deployment

Two Nas server NS80 will be deployed: the NA server and his server in case of failure.

| Juin 2008 22

Network Architecture Case Study

6. Cabling system

To connect PC, on IP phone and IP phone to the switch, we use category 5e cable. The cables used in cable networks are 8 wires involved in 4 twisted pairs. The interest is to obtain noise immunity by cancelling successive loops, fields parasites are counted alternately more or less giving a resulting void. The cables used may be of two types armoured: STP (shielded twisted pair) or unshielded: UTP (unshielded twisted pair) is the latter type of cable that is used in the majority. The shielding if not taken correctly on both sides of the cable can be converted into air and cause more problems than it solves. These cables have 100Ohms. It uses the wire 1-2 for issuing data and son 3-6 to receive data The wire 4-5 and 7-8 are reserved for telephony applications or for Ethernet.

The maximum length of cable is 100 meters, in practice there are usually 90 metres in order to keep 10mètres for the garter. On the other hand cables must be raised with caution: do not trap or fold it would cause a change in the impedance of cable and thus risk problems. In addition, it is necessary to avoid asking the same electrical cables on long distances in this case it is necessary to maintain a minimum distance (30 cm at least).

Cables cross is use to connect our routers to the other routers or the switches to the others switches. the cables cross are used to connect PCs and servers to the active elements: switches to routers and switches to the pc.

The Cat 5 cable transmits data at frequencies up to 100MHz and at rates not exceeding 100Mbit/s. Category 5 is made up of two basic types of cables to four twisted pairs non-armoured: • UTP cable (Unshielded Twisted Pair) impedance of 100 ohms (most used). • The cable FTP (Foiled Twisted Pair) also impedance of 100 ohms and consists of a simple aluminium foil rolling four twisted pairs protected by an outer sheath. Both types of wiring have been defined primarily by the U.S. standard ANSI/EIA/TIA-568. The requirements in terms of improving performance and quality required to review the category 5 cabling with features tighter. The category 5th responds to them but with limitations contained in the table following comparison, the domain of frequency is the same(<100Mhz), the Bit rate (1000Mbps) too and also the length (100m).

| Juin 2008 23

Network Architecture Case Study

The different characteristics on measures (Channel):

Measures (1) Catégorie 5 Catégorie 5e Paradiaphonie 27,1 dB 30,1 dB (Next) Télédiaphonie compensée 17 dB 17,4 dB (Elfext) Perte en retour 8 dB 10 dB (Return loss) Affaiblissement 24 dB/90 m 24 dB/90 m

On the Catégory 5 e, we could use the Ethernet 100BASE-TX et 1000BASE-T, ATM 155 Mbps.

We use the cable category to obtain a bit rate as 10GigaEthernet, we use it between the switches, the routers and the servers. This type of cable is specified in ISO / IEC 11801:2002 which is on the Ethernet. It is backward compatible with cables category 5 and 6 and allows data transmission at frequencies not exceeding 600 MHz. The Category 7 cable has four twisted pairs armoured individually and collectively in order to reduce parasitic phenomena related to crosstalk. The shield is the minimum consists of a screen usually aluminium (F / FTP). This type of partnership with cable connectors GG45 compatible with RJ45 and TERA (not compatible RJ45 and therefore categories before CAT7) used specifically for applications where security requirements are important.

| Juin 2008 24

Network Architecture Case Study

Chapter 2 Services

| Juin 2008 25

Network Architecture Case Study 1. Toip

A/ Context

Welcome to the world of voice over internet protocol (VoIP). With VoIP service, your phone calls travel over the internet as data, just as e-mail does. This type of service can dramatically lower your telecommunications costs while increasing your productivity. It also provides useful features and capabilities that conventional phone technology can't offer. Though VoIP is quickly gaining popularity, some businesses are still on the sidelines, concerned that VoIP audio quality is substandard, that the technology is difficult or costly to implement, or that their phone service will be interrupted if their electricity goes out. The truth is, VoIP's benefits far outweigh any potential drawbacks. Here's what you need to know about VoIP to decide if it's right for your business--plus tips for making the most out of VoIP service. 1. Since its inception, the quality of VoIP service has come a long way. Early VoIP products required both parties in a conversation to be at a computer. Not only was this extremely limiting, but the sound quality was often poor. Today's VoIP service has evolved and allows you to make and receive calls using standard phones or, even better, feature-rich IP phones. Sound quality has vastly improved, too--in fact, many businesses today have abandoned traditional phone systems in favor of VoIP. Many of these businesses have the ability to leverage their own data network to carry phone calls originating and terminating within their office with additional savings and benefits. 2. Using VoIP can significantly reduce your telecommunications costs. Operating costs for VoIP service providers are significantly lower than for traditional phone companies, which must contend with the existing, expensive-to-maintain phone infrastructure and costly industry regulations. With lower expenses, VoIP providers can charge much less than their competitors, and with VoIP, businesses no longer have to maintain separate networks for phones and data--another significant money saver. 3. VoIP service makes your phone system highly flexible. VoIP systems allow you to do things that are simply not possible with traditional phone technology. For example, you can:

• Take your phone system with you. As long as you have access to a broadband connection, you can use your VoIP system anywhere, such as in a hotel room or at a friend's home. Customers and employees can stay in touch just by calling your regular business phone number--they don't need to call your cell phone, which means you can save precious cell phone minutes.

• Talk on your laptop. Many VoIP systems include telephony software that enables you to send and receive calls using a headphone/microphone unit connected to your computer. Now you won't miss an urgent call from a client, even when you're hanging out with your laptop at an internet café.

| Juin 2008 26

Network Architecture Case Study • Get voice mail and faxes with your e-mail. Many VoIP services allow you to have voice mail and faxes automatically forwarded to your regular e-mail inbox. You get all your messages in one place, and your voice mail and faxes can be easily archived or forwarded to others. Users can also get their e-mails "read" to voice mail.

• Increase productivity. Many VoIP phone numbers can be configured to simultaneously ring on multiple devices--such as your cell and landline phones--before going to voice mail, thus eliminating time-consuming "phone tag." In a recent survey conducted by Sage Research, the increased productivity enabled by internet telephony added up to 3.9 hours per week, per employee.

• Use call forwarding. If the power goes out, your computer network may go down-- taking your VoIP service with it (unless you have a generator or other alternative power source). For backup, configure your VoIP service to automatically forward unanswered calls to a cell or landline number.

One thing's for sure: VoIP technology is continually evolving, with compelling new benefits being developed for businesses. For example, some new wireless PDA/phone combination devices allow you to use your VoIP service whenever you're near a Wi-Fi network and use your cell phone service when you're not. Among the advantages: a dramatic increase in mobility and a sharp decrease in your cell phone charges. For larger small businesses, having a single IP network for both voice and data can provide other advantages, too. For example, an IP network can also support real-time, high-quality. No matter the size of your business, VoIP is a surprisingly flexible, affordable technology that offers the same, sophisticated communication tools your enterprise-size competitors have.

| Juin 2008 27

Network Architecture Case Study

B/ Hardware and software technology

| Juin 2008 28

Network Architecture Case Study a/ IP Telephony

Run voice, data, and video communications over a single, converged network. Includes call- processing software, telephones, and endpoint devices. Featured products include:

• Cisco Unified IP Phones 7900 Series

Cisco Unified IP Phone 7940G

Scalable, Feature-Rich Communications

The Cisco Unified IP Phone 7940G is well suited for employees in a basic office cubicle environment--such as transaction type workers-- who conduct a moderate amount of business by phone.

• Cisco Unified IP Phone 7970G

Dynamic, Scalable, Integrated Communications

The Cisco Unified IP Phone 7970G delivers the latest technology and advancements in IP telephony. It not only addresses the needs of executives and major decision makers but also brings network data and applications to users without PCs. This state-of-the-art IP phone also enables customers and developers to deliver more innovative and productivity-enhancing Extensible Markup Language (XML) applications to the display.

• Cisco Unified Communications Manager (call manager)

Cisco Unified Communications Manager - (version 6.1)-licence – 2500 téléphones IP

Scalable, Distributable, and Highly Available

Cisco Unified Communications Manager (formerly Cisco Unified CallManager) is the powerful call-processing component of the Cisco Unified Communications solution. It provides voice, video, mobility, and presence services for businesses with up to 60,000 users, Unified Communications Manager is a scalable, distributable, and highly available enterprise- class IP telephony call-processing system.

Cisco Unified Communications Manager creates a unified workspace that extends enterprise telephony features and capabilities to packet telephony network devices such as IP phones,

| Juin 2008 29

Network Architecture Case Study media processing devices, voice over IP (VoIP) gateways, mobile devices, and multimedia applications. Additional services, such as unified messaging, multimedia conferencing, presence, collaborative contact centers, and interactive multimedia response systems, are made possible through open telephony APIs.

Cisco Unified Communications Manager, deployable on the Cisco 7800 Series Media Convergence Servers or on third party servers by HP or IBM, includes the following features:

Cisco 7800 Series Media Convergence Servers

Des serveurs pour différents besoins: MCS-7845H-2400 – grappe <=30,000 MCS-7835H-2266 – grappe <=10,000 MCS-7825H-2266 – grappe <=4,000 MCS-7815-1000 – grappe <=200

MCS-7825H-2266 equivalent to HP DL320-G2 HP ProLiant DL320s - Dual-Core Xeon 3060 2.4 GHz Serveur - Montage en rack - Mémoire vive: 1 Go

• Cisco Unified Survivable Remote Site Telephony Version 4.1

Cisco Unified Survivable Remote Site Telephony functions in the branch-office router to automatically detect a failure in the network and initiate a process to autoconfigure the router, providing call-processing backup redundancy for the IP phones in that office and helping ensure that the telephony capabilities stay operational. Upon restoration of WAN connectivity, the system automatically shifts call processing back to the primary Cisco Unified Communications Manager cluster. The Cisco Unified Survivable Remote Site Telephony configuration needs to be completed only once during install, simplifying deployment, administration, and maintenance. No IT staff is required at the remote sites to manage the Cisco Unified Survivable Remote Site Telephony feature.

| Juin 2008 30

Network Architecture Case Study

b / Network Management

These tools are designed to improve productivity and reduce total cost of ownership through automation, integration and simplification. Featured products include.

• Cisco Unified Operations Manager

Comprehensive Monitoring and Diagnostics

Keep your Unified Communications systems running smoothly with Cisco Unified Operations Manager (Cisco UOM). This easy-to-use tool provides comprehensive monitoring and diagnostics for the entire unified communications system, including the multiple applications as well as the underlying transport infrastructure (IP fabric).

Cisco UOM is part of the Cisco Unified Communications Management Suite, and features out-of-the-box, real-time, service-level monitoring of all elements of your system. It performs automatic discovery of the entire system and provides contextual diagnostics for rapid troubleshooting. With Cisco UOM there are no rules to write, no thresholds to define, and no extensive and time-consuming initial setup.

• Cisco Unified Service Monitor

Measure and Improve the User Experience

Make sure your communications are clear and understandable with Cisco Unified Service Monitor. This low-cost, reliable tool continuously monitors active calls supported by the Cisco Unified Communications System and provides near real-time notification when the voice quality of a call fails to meet a user-defined quality threshold.

Part of the Cisco Unified Communications Management Suite, Cisco Unified Service Monitor includes the following two components:

• Sensor hardware, deployed close to the endpoint (IP phone, gateway, or voicemail system), monitors and evaluates call quality and reports this information for active calls in near real-time.

| Juin 2008 31

Network Architecture Case Study • Central service monitor software operates on a Windows 2003 server platform and receives voice quality information from Cisco 1040 Sensors and Cisco Unified CallManager 4.2 and 5.0, or Cisco Unified Communications Manager 6.0 systems.

c / Communication Infrastructure

Routing, switching, and other infrastructure products include voice gateways, switches with inline power, and voice servers for media processing software. Featured products include:.

• Cisco Unified Border Element

Deliver Flexible Services at the Network Edge

View an Interactive 3D Model of the Cisco 7301 Router

The Cisco 7300 Series is optimized for flexible, feature rich IP/MPLS services at the network edge, where service providers and enterprises link together. The Cisco 7300 Series can be used for enterprise campus Internet gateway applications or be deployed by service providers as a high-end CPE router for enterprise-class managed service offerings. Coupled with powerful network processing, a broad set of interfaces and a compact, modular form factor the Cisco 7300 is ideal for intelligent, multi-gigabit network edge applications.

Deliver Integrated Services to Branch Offices and SMB

Cisco 3825 Integrated Services Router

The award-winning Cisco 3800 Series integrated services routers, ideal for medium-sized to large businesses and enterprise branch offices, enable you to simplify deployment and management, lower the costs and complexities of your network, and support mission-critical business applications, by providing a highly secure platform with concurrent T3/E3 wire- speed delivery of:

• Data • Security • Voice • Video • Wireless

| Juin 2008 32

Network Architecture Case Study

D/ Option

Cisco Unified Presence Server The presence server collects information on the availability of users and their ability to communicate in order to make them available in the environment Cisco Unified Communication.

Cisco Unified Mobility Manager Cisco Mobile Connect combines mobile telephone numbers to IP phone numbers. Mobile Connect duplicate calls between different equipment to make everything sound recording equipment.

Cisco Unity - Unified Messaging and voice mail

System voicemail and unified which includes all messages in a single inbox and allows their recovery by phone, mail or Internet.

Cisco Unity Connection This solution integrates voice mail, messaging IMAP, synthesis / voice recognition and call forwarding through a dynamic interface terminal simple and can support up to 1500 users.

| Juin 2008 33

Network Architecture Case Study

2. Directory

Active directory

We need a directory and an authentication system in our architecture; we had the choice between a LDAP (with openldap) which is an open source Directory) and the active directory of windows. Finally we decided to choose the active directory solution of Windows because it integrates directly the two services we need and that despite the cost compared a Freeradius-Openldap solution. . It’s integrated to Microsoft windows Server Enterprise Edition solution. Active Directory allows to identify all information concerning the network, whether users, machines or applications. Active Directory is thus the central hub of the entire network architecture and is intended to allow a user to locate and access any resource identified by this service. Active Directory is a tool for users, but insofar as it allows an overall representation of all resources and associated rights it is also an administration tool and network management. It thus provides tools to manage the distribution of the directory on the network, its duplication, security and partitioning of the directory of the company. The structure of Active Directory allows it to centrally manage networks from a few computers to business networks spread across multiple sites. Many reasons can explain the choice of AD: • Simpler to manage • Easy to deploy. • It will provide fully integrated security in the form of user logon's and authentication. • It makes easy in administration in the form of group policies and permissions. • It makes easy to identify the resources. • It will provide scalability, flexibility and extensibility. • It is tightly integrated with DNS services for all its operations, which will provide better in identifications and migrations. • It services will provide Automatic replication of information between the domain controllers. • It supports integration of the other directory services also. • It supports multiple authentication protocols.

| Juin 2008 34

Network Architecture Case Study 3. DNS

The DNS allows for the resolution of names between the address in the browser and the actual address of this machine on the Internet. It can also indicate the mail server. We choose the sever DNS HP Proliant for the price and the possibility to connect all servers on the same label.

The figure below shows the functioning of the DNS in our architecture with several DNS servers. The 2external servers are involved in the management of names of a fictitious test.fr. Another private DNS server is associated with the management of a fictitious private (invisible from the Internet) appointed here.local. It was also represented two DNS servers located outside of any kind on the Internet. Our DNS servers internal are installed in the protected area network, both for the field visible from the Internet (test.fr) and for his private domain local (here.local). Several DNS servers to be available from the Internet to manage the public domain test.fr (this is a requirement for being awarded a domain name), a second server is located in a DMZ, and a third.

There are different types of DNS can pass on the network: • The complaints recursive normally correspond to requests made by customers to their usual DNS server. • The complaints iterative correspond to the demands of resolution generally made between DNS servers themselves • Requests Transfer areas are made between a server secondary and primary server for the same area to allow the secondary server to have a copy of the DNS zone it

| Juin 2008 35

Network Architecture Case Study manages.

• The DNS servers are both: servers in the proper sense that respond to requests incoming clients (other DNS servers) on the field managed (test.fr in our example); and relays that perform for clients' internal applications outgoing DNS resolution and maintain a cache to speed them up.

We have our External DNS server 1, which contains the reference in the public domain of our company (test.fr), which manages on behalf of all workstations resolving DNS on the Internet but whose configuration allows virtually to a single customer. It is indeed perfectly consistent with the desired path flows in the network architecture. In addition, the internal DNS server is very close to the DNS server accessing the Internet, it is not necessary to use its cache functions that are redundant with those implemented at the next level. It is useful to run the relay server mode pure: The interest of our architecture is to provide maximum protection of private internal DNS server of our company absolutely not accessing the Internet directly, but which was nonetheless able to provide all services needed for DNS workstations, LAN, including the resolution of names from outside our company. This server is also able to resolve internal names of our company (in the field here.local) it manages directly. The workstations accessing therefore in a transparent manner to all different areas.

4. SMTP

Solution

The mail server is located in the external DMZ. We decided to choose the Microsoft exchange server solution of windows which is largely deployed. Microsoft exchange server provides provides a reliable messaging system, with built-in protection against spam and viruses. The users of the company could access e-mail, voice mail, calendars, and contacts from a wide variety of devices and from any location. The advantages of this mail server are listed behind : • Protection: anti-spam, antivirus, compliance, clustering with data replication, improved security and encryption • Information Worker Access: improved calendaring, unified messaging, improved mobility, improved web access • IT Experience: 64-bit performance & scalability, command-line shell & simplified GUI, improved deployment, role separation, simplified routing • "Unified Messaging" that lets users receive voice mail, e-mail, and faxes in their mailboxes, and lets them access their mailboxes from cell phones and other wireless

| Juin 2008 36

Network Architecture Case Study devices. Voice commands can be given to control and listen to e-mail over the phone (and also send some basic messages, like "I'll be late") • Removed the database maximum size limit. Database size is now limited by hardware capability and the window for backups and maintenance. • Maximum number of storage groups and mail databases per server 50 each for Enterprise Edition

Deployment

We decided to put two mail servers in the headquarter in the external DMZ to allows the external user to access mail service. Each user can have a capacity of storage of 400 MB for a prevision of 1700 users who shall use Microsoft Outlook in their workstations and nomad users.

5. Intranet & Extranet

Software For the intranet and extranet solution, we need a web server which combines a http server, a database server and PHP. We decided to choose LAMP which is a largely deployed solution. LAMP is an open source solution contrary to WAMP which use Windows instead of Linux. This solution integer 4 software: • Linux • Apache HTTP Server Apache HTTP Server which is a free software/open source web server, the most popular in use • MySQLwhich is a multithreaded, multi-user, SQL Database Management System (DBMS) owned by Sun Microsystems with more than eleven million installations • PHP

| Juin 2008 37

Network Architecture Case Study

Chapter 3. Deployment and Budget

| Juin 2008 38

Network Architecture Case Study 1. Deployment

We recommend 2 teams, one for deploy the cable and another one for install the hardware and software infrastructure in each site.

Deployment Price Time Headquarter 8 day/man by floor + 10d/m 45000€ basement= 90d/m Installation cable Hardware and software 6 d/m by floor + 15 d/m Infrastructure basement= 75 d/m installation 45000€ Agency Hardware and software 4 d/m by agency = 40 d/m Infrastructure installation 25000€ 4 d/m by agency = 40 d/m Installation cable 20000€ Total 135000€ 245 d/m

| Juin 2008 39

Network Architecture Case Study The deployment will be composed of two parts. In the first hand we will work on two sites; the headquarter ( basement and 1 st floor) and one agency. We will begin to install the cable and after that, deploy all the architecture ( Hardware and software).

First step

Team Deployment Date Place

From Day 1 at 8 o’clock Headquarter Team 1 Installation cable st To day 5 at 12 o’clock Basement and 1 floor

Hardware and software From Day 6 at 8 o’clock Headquarter Team 2 st Infrastructure To day 11 at 10 o’clock Basement and 1 floor installation

From Day 6 at 10 o’clock st Team 1 Installation cable 1 Agency To day 6 at 18 o’clock

Hardware and software From Day 12 at 10 o’clock st Team 2 1 Agency Infrastructure To day 12 at 18 o’clock installation

Test it out. Rather than switch everyone at once, test all services first with just a few users. Once we are satisfied with the service, then you can roll it out to other employees. (You might want to keep your traditional phone system up and running during the transition as a backup.). During this period of test, we begin to deploy the cable in the others agencies and the others floors.

Second step

Team Deployment Date Place

From Day 8 at 8 o’clock Headquarter Team 1 Installation cable To day 26 at 18 o’clock The 9 Floors

From Day 26 at 8 o’clock Team 1 Installation cable The 9 Agencies + Shift To day 40 at 18 o’clock

Hardware and software From Day 27 at 8 o’clock Headquarter Team 2 Infrastructure To day 40 at 12 o’clock The 9 Floors installation Hardware and software From Day 41 at 8 o’clock Team 2 The 9 Agencies + Shift Infrastructure To day 55 at 18 o’clock installation

| Juin 2008 40

Network Architecture Case Study

CAPEX

Equipment Model Quantity Price unit Comments Total

Headquarters IP Phone Cisco 9940 G/ Cisco 9970 G 1000/200 200€/300€ 260000€ Routeurs Cisco 7301 Router 2 22000€ ( routeur + routeur de backup ) 44000€ d'interconnexion Firewalls (DMZ) Cisco ASA 5520 2 3680€ statefull failover 7720€ Switch 48 port Cisco catalyst Gigabit 3560 2 4500€ 9000€ interconnexions cable RJ45 catégorie (Intranet,Extranet,SMTP,TOIP, 30 1,2€ / 1 mètre 360€ 7 (10Gb) DNS,LDAP,Supervision) 10m Serveurs NAS EMC NS celerra ns80 2 20000€ 40000€ Switch 48 ports NAS Cisco catalyst Gigabit 3560 2 4500€ (NAS) 9000€ baies 25 750€ 18750€ Disque de stockages 4 (3+1 HP StorageWorks 1/8 G2 Tape Autoloader 2099€ 8400€ Tera octet backup) Switch 24 ports Cisco catalyst Gigabit 3560 4 2500€ 2+ 2 backup 10000€ interconnexions Cable RJ45 catégorie 20 1,2€ / 1 mètre 100m 2400€ 7 (10Gb) Serveurs d'application HP ProLiant DL320s 17 3000€ 51000€ Toip Licence Licence Cisco Unified 17500€ Operations Manager Licence Cisco Unified 18000€ Service Monitor Licence Cisco Unified Communications 4600€ Manager

| Juin 2008 41

Network Architecture Case Study Licence service 30 000€

Floors

Switchs 48 ports Cisco catalyst 3750 30 5000€ 3 par étage 150000€ Cable RJ45 catégorie 250 cables par étage (150 tél- 2500 0,5€ par mètre 25000€ 5 (100 Mbps) utilisateur 30m;100 pc-tél 5m); Cable RJ45 catégorie 30 1,2€ / 1 mètre 10 par etage 2m 72€ 7 (10Gb) Répéteurs 3 300 900€ Agencies IP phone Cisco 9940 G/ Cisco 9970 G 500/100 200€/ 300€ 130000€ Switch 48 port Cisco catalyst 3750 40 5000€ 200000€ interconnexions 2 switch par agence ( routeur + Routeur Cisco 3825 Integrated Services Router 10 5500€ 55000€ routeur de backup ) Cable RJ45 catégorie 1400 0,5€ par mètre 700 5m et 700 de 30m 12250€ 5 (100 Mbps) Cable RJ45 catégorie 30 1,2€ / 1 mètre 2m 72€ 7 (10Gb) 843621€

| Juin 2008 42

Network Architecture Case Study

Opex type price number total VPN Installing 500 11 5500

Connexion SDSL 500 euros 11 5500 euros

Opex + Capex Opex 11000 *12= 132000 Capex 135 000 + 843621= 978 621

Opex + Capex 1 110 621 euros

Total + fund 1300 000 euros

| Juin 2008 43

Network Architecture Case Study

Conclusion

| Juin 2008 44

Network Architecture Case Study

This project was carried out in a climate of warm and frank exchange, and confirmed the vitality of the interaction among all the members. This experience helped further consolidate the already base we had in network infrastructure. It also helped us to work in team.

| Juin 2008 45

Network Architecture Case Study

END OF THE DOCUMENT

| Juin 2008 46