Network Health Assessment

kindlyminnowΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 4 χρόνια και 15 μέρες)

79 εμφανίσεις


Network Health

Assessment


LEA Name:
Surry
County Schools








Primary POC

Jill Reinhardt


Director of Technology

reinhardtj@surry.k12.nc.us


336
-
386
-
8211 x138


Technical POC

David Brown

Network
Coordinator

DBrown@surry.k12.nc.us

336
-
386
-
8211






Date Data Collected

5/27
/2009



6/19
/2008








Page
2




Table of Contents


1

Executive Summary

................................
................................
................................
................

3

2

Data Collection and Testing Process Summary

................................
................................
......

5

3

Results and Observations

................................
................................
................................
........

6

3.1

Design/Configuration

................................
................................
................................
.......

6

3.2

Security
................................
................................
................................
.............................

8

3.3

OA&M

................................
................................
................................
.............................

8

3.4

Performance/Capa
city

................................
................................
................................
......

8

3.5

Physical Plant

................................
................................
................................
.................

15

4

Recommendation Summary

................................
................................
................................
..

17

4.1

Design & Configuration

................................
................................
................................
.

17

4.2

Security
................................
................................
................................
...........................

19

4.3

OA&M

................................
................................
................................
...........................

20

4.4

Performance & Capacity

................................
................................
................................

21

4.5

Physical Plant

................................
................................
................................
.................

21

Appendix
A
:
Network Checklist

................................
................................
.........................

Attached

Appendix B
:
Cacti Utilization Graphs

................................
................................
................

Attached

Appendix C
:
SmokePing
Performance Graphs
................................
................................
...

Attached

Appendix D
:
ASA

Firewall Audit

................................
................................
......................

Attached















Page
3




1

Executive Summary


During the on
-
site data assessment, the Client Network Engineering (CNE) team used the
network core located at the district Central Office (CO) as the primary data collection point.
Each remote school campus was also
visited. Network monitoring tools were
used to gather
operational and performance data for the Wide Area Network (WAN) and school Local Area
Networks (LANs). Network device commands were used to gather configuration and general
network health data. This network assessment is based on the review

and analysis of the
collected data.


At the time of the assessment, the WAN was in the process of being upgraded while the core was
pending a migration to a new facility. As a result, the performance data will simply serve as a
baseline
to
compare against

results gained after the WAN migration and core relocation projects
are completed.


The State Educational Technology Directors Association (SETDA) recommends for the next one
to two years:



An external connection to the Internet Service Provider of 10 Mbps

per 1,000
students/staff



Internal wide area network connections from the district to each school between schools
of at least 100 Mbps per 1,000 students/staff


SCS Internet bandwidth meets this recommendation. After the WAN upgrade is completed, the
WAN b
andwidth will also meet recommended speeds with the exception of Mountain Park
Elementary (utilizing T1). The VPN connections managed by STMC were noted to have some
performance issues during the assessment that need some attention.


Surry

County Schools (
SCS
) utilizes a star network topology, where all outbound traffic from
remote schools traverses a
WAN
provided by
Surry Telephone Membership Corporation
(STMC). The WAN is a mixed environment incorporating fiber
-
based access (ranging in speeds
from 45Mbps
to 100Mbps), T1 circuits and managed VPN access as shown in Figure 3.1. STMC
aggregates WAN connectivity
on
to a single 1
Gbps

circuit to the CO
. MCNC provides egress
connectivity via a
100Mbps service to the
Internet and
North Carolina Researc
h and Educatio
n
Network (NCREN).

The WAN is
routed and completely managed by STMC. At the time of the
assessment, the WAN was in the process of being upgraded from 45Mbps to 100Mbps at fiber
-
based locations.

Flat Rock Elementary, currently off of a T1, is pending a migr
ation to fiber.


The school campus LANs consisted of two very different types of deployments. SCS is in the
proces
s of upgrading the cable plant, facilities and network infrastructure at various schools as
budget allows. Four schools were noted to have be
en upgraded during the assessment while
twelve schools were pending resources.


The locations that have not been upgraded consist of a single flat VLAN merely connected by
unmanaged Ethernet switches. The default router of these schools is the STMC WAN ro
uter.
This design offers no flexibility or scalability to provide advanced computing services associated


Page
4




with 1:1 computing. There is no Wireless LAN (WLAN) deployed and the wired infrastructure
cannot be managed or monitored remotely.


In contrast, the ne
wly upgraded schools have been meticulously deployed using a standardized
template which can be replicated over many schools. This design incorporates high
-
end Cisco
Catalyst switches with a 4506 serving as the core layer2/3 switch and
aggregation point fo
r

3750
access
switches. All copper ports are Power Over Ethernet (POE) capable which will help with
possible future deployments of WLAN and Voice over IP (VoIP). The network en
vironment has
been deployed using Cisco best practices
,

is highly scalable
,

and
will clearly serve as an
excellent foundation in support of future 1:1 computing initiatives. The physical plant at these
locations was installed using excell
ent craftsmanship which is rarely seen across districts in
North Carolina. HVAC upgrades and UPS w
ere being planned at

these locations as well. The
only component missing from the new school templates is a WLAN deployment. SCS is
considering utilizing a Cisco WLAN approach s
tarting at

Gentry Middle and will deploy
wireless support as warranted.


While
the core had not been relocated to the new location, MCNC was able to look at the new
facility towards the end of the construction phase. SCS is in desperate need for a new core
location with adequate space, power, HVAC and cable infrastructure. The new fa
cility appears to
be designed with all of these requirements in mind and will serve as an excellent core. Th
e
investment being made in these
facilities will allow SCS to scale both network and server
infrastructure. As the WAN is upgraded, centralizing com
puting resources and/or virtualization
will become possible.
SCS will need to upgrade the core network infrastructure in a similar
fashion to that of the school LANs.


SCS has a good plan moving forward to support future 1:1 computing initiatives.
Assuming that
funding allows the necessary upgrades, SCS will be in fine shape from an infrastructure
perspective. SCS has

a

small, but very capable and talented staff. SCS will likely be
understaffed
after infrastructure upgrades and 1:1 implementations
.
Funding for additional staff should be
included with infrastructure growth.


Moving forward, MCNC has a few recommendations regarding the new design templates. It may
be possible to reduce some infrastructure costs associated with the new deployments depen
ding
on the requirements for wired vs. wireless infrastructure. MCNC is available to assist with any
design
changes as needed. In addition, MCNC is available to assist with the WLAN deployment
with planning, design and deployment. MCNC will assist SCS re
-
c
haracterize the network
(throughput, latency and packet loss) after the WAN migration and core relocation as planned.








Page
5




2

Data Collection and Testing Process Summary


Data collection and testing focused in three key areas as follows:


Physical
-
layer analy
sis:

1.

Physical inventory of all network infrastructure and LAN cabling

2.

Automated network discovery and mapping using SolarWinds LANsurveyor

3.

Packet capture and analysis at the core switch at each school using Wireshark
-

the
physical layers was inspected by
capturing packets at each location and anal
yzed for
problems and anomalies

4.

Analysis of switch logs and port errors.


Configuration analysis:

1.

Analysis of core switch configurations


configurations compared against best practices
published by major switch

manufactures.


Network Performance analysis:

1.

Network utilization analysis


examine network utilization for WAN and Internet access
connections using Cacti for WAN connections.

2.

Network latency analysis


examine network latency across the WAN using Smoke
Ping

3.

Throughput analysis


examine link and end
-
to
-
end throughput using the Network
Diagnostic Tool (NDT) developed by I2.






Page
6




3

Results and Observations


A detailed list of specific areas observed and noted results can be found in the Network Check
List (Appendix
A
).



3.1

Design/Configuration






Figure 3.1
:
SCS

High Level Topology


Metro Ethernet Aggregation

The
Surry

County

Schools

(
SCS
) network
environment is a star topology with

the
Central Office
(CO)

serving as the center and
19
other locations
at the ed
ge.
At the time of the assessment,
connectivity was
provided by Surry Telephone Membership Corporation (STMC)
via 45Mbps
Metro Ethernet links,

T1 circuits or managed VPN
.
The 45Mbps schools are connected via fiber


Page
7




and were in the midst of being upgraded to 100Mbps during the assessment.
Flat Rock, currently
connected via T1, will be migrated to a fiber connection in the near future.
The WAN is r
outed
and managed by
STMC, including the ATI 8624 in the CO serving as the core router.


Internet Access

MCNC provides connectivity to the Internet through the 100Mbps NCREN connection
. MCNC
has provided
SCS

the public address space of
152.26.7.0/27

for I
nternet access. In addition,
MCNC address space was also provided to support SCS video conferencing needs. The address
space dedicated to video conferencing is
152.26.241.0/28
.


Core Environment

At the time of the assessment, the network core was located
at the CO. A new facility was being
constructed which included data center space dedicated to server and network infrastructure. The
core will be relocated to this location upon completion.
The existing room housing core
infrastructure house obvious challe
nges with space, HVAC and power. SCS is clearly on the
right path with a pending move of the core to a new location.


The core router is an ATI 8624 managed by STMC. Static routes are
configured at this router for
WAN connectivity, while school CPE routers

are defaulting back to the core. The ATI 8624 also
provides connectivity for the CO LAN. The LAN switching of the core consists of the ATI 8624
with the addition of several low
-
end Ethernet switches ranging from a managed (STMC) Cisco
2900 Catalyst to var
ious unmanaged switches.


School Campuses

There are two main flavors of

school LAN architectures


“old” and “new
”.


The old environments have yet to be upgraded and simply consist of various unmanaged
switches aggregated together using ad
-
hoc cabling. T
he LAN is a single flat VLAN with the
STMC WAN router acting as the default gateway for users. This architecture is primitive and
offers no scalability or management functions needed for advanced computing/services. The
local cable plant, HVAC and power ar
e all in need of improvement at these locations.


The new network environments are a stark contrast to the older LANs. These
E
-
Rate eligible
schools have been completely re
-
wired with first
-
class
craftsman
ship using high
-
end materials
for cable plant, rack
s and cable management. The network infrastructure consists of a core Cisco
4500 Catalyst switch feeding various Cisco 3750 switches (stacks) for aggregation. All ports are
Power
-
Over
-
Ethernet (POE) capable. The 4500s serve as the core routers for each loc
ation and
are meticulously configured using standardized templates to be replicated across schools. The
power and HVAC at these locations was acceptable or had planned upgrades.


DNS

SCS

manages internal
DNS
via Microsoft

while MCNC manages
external

DNS.


Wireless

There is no current wireless deployment at school locations managed by SCS.
At a few locations,
mobile carts that have Access Points available to serve laptops
. There is a plan to move towards


Page
8




1:1 computing in which wireless LANs will play a major

role. SCS will evaluate options moving
forward
.


3.2

Security


Firewalling/ACLs

A
Cisco ASA 5510 and
SonicWALL
Pro 3060

are

providing firewalling services for
SCS
.
The
ASA is viewed as the primary firewall

while the SonicWALL denies a few specific web proxies
and provides content filtering services.

There are only “external” and “internal” security zones
with no DMZs currently configured.
Users are housed within the same trusted zone as server
infrastructur
e, including the district AS
400.


Content Filtering

Content filtering is provided by both a SonicWALL
Pro 306
0. SCS is investigating other content
filtering options including LightSpeed.


Traffic Shaping

During the assessment, a Packeteer with a 50Mbps li
cense threshold was removed from the
network.
Freedom9 Slim
100
device
s were seen at each High School to provide rate limiting.


Remote Access

VPN access is achieved using the
Cisco ASA and Cisco VPN Client.


Admin Access

Administrative access to network
device
s is
performed

mostly via telnet
, ssh

or HTTP
/HTTPS
.
There are multiple local users accounts configured on the infrastructure with no external
authentication.

Access is typically restricted to trusted subnets/hosts
.


3.3

OA&M


SCS is currently using a va
riety of SolarWinds products for monitoring and systems
management. Many districts have not invested in tools to ensure proper management and
operations of the network infrastructure. SCS has shown a real understanding for operations and
is on the right pa
th. It is likely that the SolarWinds applications need to be updated, but they are
useful in their current capacity. SCS expressed some interest in additional open source tools such
as SmokePing, Cacti and NDT.


The older
LAN
environments are completely un
manageable due to the infrastructure deployed.
The new environments are already configured with Cisco best practices in mind for management
and monitoring.

NTP
was
co
nfigured within the newer deployments.






Page
9




3.4

Performance/Capacity


MCNC engineers measured bandwidth utilization,
throughput,
latency (delay), and packet loss at
from each school location

in the
SCS

network.



Utilization

Statistics collection was performed on
switches located

at each school campus. Utilization
graphs fro
m individual ports throughout the network are included in
Appendix
B
.

Because the
majority of the schools have solely unmanaged switches deployed, utilization statics could not be
obtained. This left only a few recently upgraded schools for utilization dat
a collection.


The
STMC

Metro Ethernet connectivity is provided at
varying speeds

to each location.

As
discussed earlier, an upgrade is underway for the majority of the school Metro Ethernet
connections to 100Mbps. The assessment was performed in the midst

of this upgrade so from a
utilization perspective, most locations will receive a large increase in available capacity in the
very near future.

The following graph show
s

that the
aggregate

Metro Ethernet
utilization

as seen
by the
ATI 8624

router in the CO

is averaging around 3
0Mbp
s with periodic peaks of up to
4
0Mbps.

It should be noted that all of utilization graphs are based on t
wo

hour averages, so the
peaks are likely to be “smoothed” as granularity is not shown. SCS has already made the
necessary plan
s to upgrade the Metro connectivity from 45Mbps to 100Mbps.



Figure
3.4.
1:
Central Office

Metro Ether
net Bandwidth Utilization






Page
10




Figure 3.4.2 shows
traffic sent to the MCNC router which consists of both Internet and NCREN
connectivity.

The graphs show
that SCS is consistently using approximately 31Mbps during
school hours with peaks close to 40Mbps. This suggests that there is plenty of available capacity
on the MCNC 100Mbps circuit.



Figure
3.4.2
:
Internet and NCREN Connectivity



The
following graph

shows a close
-
up view of egress traffic from SCS to the MCNC router on
5/28/2009. This shows a more granular view of the data. As SCS looks towards a 1:1 computing
initiative, the existing MCNC link should have enough capacity to incorporate the additiona
l
connectivity requirements.



Figure
3.4.3
:
Internet and NCREN Connectivity


5/28/2009


Figure
3.4.4
:
Plymouth High School Metro Ethernet Bandwidth Utilization


5/28/2009



Figure 3.4.5
, 3.4.6 and 3.4.7

shows
Flat Rock, Franklin, and Gentry WAN
utilization
respectively
.

The averaged data is fairly low with ample headroom for additional capacity.



Page
11







Figure
3.4.5
:
Flat Rock

Metro Ethernet Bandwidth Utilization



Figure
3.4.6
:
Franklin

Metro Ethernet Bandwidth Utilization




Figure
3.4.7
:
Gentry

Metro Ethernet Bandwidth Utilization





Page
12





Bandwidth

A t
hr
oughput analysis (using NDT) was performed
for remote

location
s

as seen from the
CO

LAN.
Metro Ethernet throughput r
esults (
summarized in Table 3.4.1)
show that some locations

(highlighted in green)

have already been upgraded from 45Mbps to 100Mbps circuits
. Poor
results were seen at both Pilot Middle and Westfield Elementary (highlighted in red). SCS
followed up with STMC after the assessment and worked through the underlying issues to
improve perfo
rmance. The rest of the results can simply be ignored as the locations are likely to
be upgraded in the very near future. MCNC has left the NDT server onsite at SCS to use after the
upgrades are complete to re
-
characterize the WAN.


Table
3.4.1
:
NDT

Result
s for WAN L
in
ks

School

Link Type

Bandwidth (Mbps)

Upstream

Downstream

Central Office

Fast Ethernet (LAN)

94.15

92.28

Surry Central

fiber

92.67

91.7

East Surry

fiber

33.08

43.61

Meadowview Middle

fiber

29.12

23.8

Pilot Middle

fiber

8.14

43.17

Ceadar Ridge Elementary

fiber

30.33

35.16

Shoals Elementary

fiber

33.16

44.05

White Plains

fiber

30.75

35.69

Dobson Elementary

fiber

93.26

92.17

Franklin Elementary

fiber

28.86

30.46

Mountain Park Elementary

T1

1.45

1.47

Westfield Elementary

fiber

2.79

4.67

Central Middle

fiber

93.97

85.4

Flat Rock Elementary

T1

1.47

1.28

Copeland Elementary

fiber

32.93

43.11

North Surry High

fiber

19.07

23.05

Gentry Middle

fiber

29.02

15.65

Bus Garage

VPN

n/a

n/a

Maintenance

VPN

n/a

n/a

Early College

VPN

n/a

n/a

CO
-
to
-
MCNC*

fiber

64.74

46.98

*
Packeteer was removed to obtain results over 50Mbps


Latency and Packet Loss

SmokePing was used to gather latency and packet loss data

(as seen from
CO

LAN)
. The results
are summarized in Table 3.4.2. Links where
additio
nal loss or abnormal latency was

observed
are highlighted in yellow. Raw data can be found in
Appendix
C
.




Page
13




Table
3.4.2
:
SmokePing Results Summary



6/1
9
/2009

Location

Link Type

Round Trip Time (ms)

Packet Loss (%)

Avg

Max

Min

Avg

Max

Min

Surry
Central

fiber

0.931

3.7

0.902

0

0

0

East Surry

fiber

1.9

9.8

1.6

0.10%

3.92%

0

Meadowview Middle

fiber

1.5

7.8

1.4

0

0

0

Pilot Middle

fiber

1.9

7.9

1.8

0

0

0

Ceadar Ridge Elementary

fiber

2.1

6.9

1.9

0

0

0

Shoals Elementary

fiber

1.4

5.6

1.4

0

0

0

White Plains

fiber

1.5

4.2

1.4

0

0

0

Dobson Elementary

fiber

1

5.1

0.881

0

0

0

Franklin Elementary

fiber

1.9

6.8

1.8

0.01%

3.93%

0

Mountain Park Elementary

T1

6.7

19.3

6.5

0

0

0

Westfield Elementary

fiber

1.9

6.2

1.7

0.03

3.93%

0

Central Middle

fiber

1.4

26.6

0.82

0.37

93.60%

0

Flat Rock Elementary

T1

4.3

18.8

3.9

0

0

0

Copeland Elementary

fiber

2

4.6

1.9

0

0

0

North Surry High

fiber

2.5

7.3

2.3

0.01%

3.92%

0

Gentry Middle

fiber

1.9

6.3

1.8

0.01%

3.93%

0

Bus Garage

VPN

65.1

95.6

62.3

0.36

7.87%

0

Maintenance

VPN

10.7

13.4

10.3

0.01%

3.92%

0

Early College

VPN

3

16.8

2.8

0

0

0

CO
-
to
-
MCNC*

fiber

6.5

9.3

6.4

0

0

0


The majority of the locations showed acceptable results. A few locations had very minor packet
loss. The root cause is unknown and could be related to the WAN upgrades or CPU processing
of the device being polled at the school.
The sites connected via T1 o
r VPN are notably slower
than those connected via Metro Ethernet as expected.
The SmokePing application was left
running onsite and will be used to re
-
characterize the WAN after the upgrades are completed.
Until then, these numbers simply serve as a baseli
ne to compare against future data.


The following graph shows
that within
at the Bus Garage
,
there is high latency with extended
periods of packet loss or complete loss of connectivity. This location is provided by a managed
VPN through STMC.



Page
14





Figure
3.4.8
:
Bus Garage

SmokePing Data



Figure 3.4.9

shows
SmokePing data for Surry Central. Areas of complete loss can be seen for
extended periods. The root cause is unknown but could be potentially related to ongoing WAN
upgrades.




Figure
3.4.9
:
Surry Cen
tral

SmokePing Data


Performance

Analysis

SCS

link utilization numbers are fairly

low and well within thresholds. With the exception of
VPN and T1 connections, the majority of the Metro Ethernet links are running smoothly. The
WAN will need to be closely m
onitored after the upgrades are completed. NDT and SmokePing
will be used to re
-
characterize the environment for performance. Utilization metrics will need to
be collected when school resumes in the fall.



Page
15




3.5

Physical Plant


Power

No UPS devices were observed

at any school location or within the core in the CO
.
The new
space planned for the core will have ample power with planned UPS.


Cabling

Network cabling at school level is mostly Category 5 cabling. When needed
,

Multimode fiber is
utilized to connect wir
ing closets to each other.
The overall craftsmanship at the newly rewired
schools is superb. Rack enclosures, cable management and cable plant are all well designed and
installed meticulously. The schools that have yet to be rewired are in need of attentio
n in all
respects (network infrastructure, cabling, etc).






Figure 3.5.1
:
Acceptable
SCS

Cable Management Examples



Page
16







Figure 3.5.2
:
SCS

Cable Management Examples Needing Attention



Rack Mounting

Most of the network infrastructure was found rack
mounted in proper enclosures. There wer
e a
few instances of switches l
ying on top of cabinets in the legacy environments
.
SCS clearly has a
plan for proper enclosures moving forward.


HVAC

The CO location did not have adequate HVAC, however SCS is planning

on moving the core to
a new facility that has dedicated HVAC to the computer room
.
School locations varied in
HVAC, however SCS has plans for individual v
enti
lation units to place above infrastructure as
needed. Once again, SCS knows where work needs to b
e done and has a plan in place.




Page
17




4

Recommendation Summary


SCS clearly has a plan moving forward to incorporate a new architecture capable of offering
broadband services with high availability. Wireless is clearly something that will need to be
addressed in
the near term to support a future 1:1 computing initiative. The design templates and
architecture observed while onsite are quite capable of supporting SCS’ needs. There are a few
suggestions included in the following sections that may be of interest movin
g forward.


4.1

Design & Configuration


Single Point of Failure (SPOF) Analysis

The goal of the SPOF analysis is to identify infrastructure single points of failure for which
design changes, improved monitoring/management and/or contingency plans can be reason
ably
and cost effectively implemented to minimize the impact the failure would have on the entire
system. LEA networks typically have multiple SPOFs, most of which are expected and
appropriate.


Category

SPOF

Observation/
Recommendation

Metro
Ethernet

STMC

is the sole prov
ider of Metro Ethernet
services.

SCS

has no alternative mechanism to
aggr
egate school connectivity if
STMC

were
to experience a failure.

This is common to almost all LEAs.
Utilizing the
deployed SolarWinds package for alerting would
help

SCS

limit the downtime associated with a
failure.

In addition, removing routing requirements
from STMC would further reduce any reliance
upon a third
-
party for WAN connectivity.

Internet
Connectivity

SCS

is completely reliant upon

MCNC

for
Internet

c
onnectivity in/out of the
core.

This is
common for an LEA of this size

Firewall

The
SonicW
ALL

and ASA
fi
rewa
l
ls are

central to the entire environment. All internal
and external
traffic is funneled through these
devices.

There is general risk of device fai
lure or
misconfiguration t
hat would result in total

failure
for
SCS
.
The SPOF could be eliminated with the
additi
on

of redundant units
.
Alternatively, ensuring
timely access to a replacement unit would
minimize downtime.
SCS

could reduce risk by
making firewall changes outside of school hours.


Campus
LANs

There are no diverse paths from the
aggregation layer to the core/distribution
layer. All connectivity is dependent upon the
core switch at each campus.

Risk can be
reduced by running multiple links
between switches for redundancy (if ports are
available). A combination of EtherChannel and
STP wo
uld take care of path changes.

Power

There is a single power feed to each campus.

This is expected and typical.
SCS

should

deploy
UPS

to minimize the risk associated with any
power loss.







Page
18




Several design/configuration suggestions are noted in the following table
:


Priority

Location

Recommendation

High

All

The “old”/legacy network environments at many school locations
捯ns楳琠tf
so汥ly unman慧敤 sw楴捨es. qh楳 is 愠r慲攠慲捨楴散瑵r攠for d楳瑲楣瑳 and no琠
r散ommend敤. qh攠敮v楲onmen瑳 慲攠捯mp汥瑥ly f污琠慮d off敲 no s捡污l楬楴y,
m慮agemen琠tr mon楴iring fun捴楯ns.


千匠p汥慲ly has 愠p污l moving forw慲d 瑯 upgr慤攠瑨敳攠
schoo汳 us楮g 愠d敳egn
template seen at the “new” environments. As funding allows, each location
shou汤 b攠捯mp汥瑥ly r数污捥d ApAm.

High

CO

The core network infrastructure (ATI 8624, Cisco 2900 and numerous
unmanaged switches) is not sized appropriately
for a LEA of this size. With the
added bandwidth requirements of future 1:1 deployments, the core should be
upgraded in the near future. The design template observed for the new LANs
would serve as a good starting point. MCNC is available to assist with a
new
design and deployment as needed.

Medium

All


WAN routing is performed by STMC. This is uncommon for many districts as
many Metro Ethernet providers will simply provide layer
-
2 connectivity back to
th
e core. SCS is relying upon
STMC to provide routing
at both “old” and “new”
汯捡瑩tns. f琠楳⁵nknown wh慴a兯匠m散h慮isms 慲攠
suppor瑥d

by 協䵃M


f琠楳⁲散ommend敤 瑨慴a
pC匠pons楤敲 愠污y敲
-
2 only s敲v楣攠from 協䵃Mwh楣i
wou汤 prov楤攠愠噌A丠from 敡捨 schoo氠瑯 瑨攠捯r攮 A汬⁲ou瑩ng wou汤 瑡t攠
p污捥 on 千p
-
m
慮ag敤 楮fr慳aru捴cr攠瑯 remov攠any 捯nf楧ur慴楯nLmanagemen琠
d数敮d敮捩敳n 協䵃⸠千匠wou汤 慬獯 hav攠捯mp汥瑥l捯n瑲o氠lf pr楶慴攠fm
慳aignmen瑳. MCkC 楳 慶a楬ib汥l瑯 慳a楳琠ts n敥d敤 瑯 捯me up wi瑨 愠䵥瑲o
b瑨敲n整esi䅎Ad敳楧n and rou瑩ng 捯nfigur慴楯ns

慳敥d敤.

Medium

All

The new IP/VLAN scheme recommended by NWN is using /24 address space.
As SCS moves towards 1:1 computing, these subnets may prove to be too small
and cause unnecessary segmentation


汥慤楮g 瑯 managem敮琠tv敲h敡d. f琠楳t
sugges瑥t
瑨慴a⼲3 subn整s b攠us敤 瑯 慬汯w for mor攠s捡污li汩ly of th攠ex楳瑩ng
d敳楧n
. qh楳 w楬氠慬獯 he汰 ro慭ing of

w楲敬敳s us敲s 楮 th攠fu瑵r攮

Medium

All

The new Cisco equipment deployed consists of 4500 chassis populated with 48
-
port 10/100 cards with Power
-
Over
-
Ethernet functionality (
WS
-
X4248
-
RJ45V

blade). These blades are only capable of 10/100 speeds. Cisco 3750 switches are
also used to aggregate copper ports using 10/100 ports with Power
-
Over
-
Ethernet.


It is recommended that SCS consider wired ports
supporting GigE speeds. This
will allow for future support of wireless Access Points which may require
higher speeds. This also allows for increased longevity providing broadband
services at the schools.

Medium

All

The current design template for new depl
oyments may be too expensive for all
locations. The 4500 and 3750 combination is not unusual for districts, however
this combination may be a bit oversized for every school. The current design has
a heavy emphasis on wired connectivity. It is recommended t
hat SCS
investigate the trade
-
off of designing a robust wireless deployment with a more
strategic deployment (rather than a blanket deployment) of wired infrastructure.
This may allow robust support for 1:1 computing services while providing a
“right
-
s楺敤
” wired solution. MCNC is available to assist with design goals,
d敦楮ing r敱u楲ements 慮d 汯ok楮g 慴asolu瑩tns 慳an敥d敤.

Medium

Flat Rock

Trunks between switches in the new architecture should be over 100Mbps. Flat
Rock has a 100Mbps link between the 4506 and a 3750 stack. If no GigE ports
are planned, EtherChannel should be considered to increase trunk bandwidth.



Page
19




4.2

Security


The
SCS

network environment
is in fairly good shape with regard to security. Management
access has been restricted as appropriate which is rarely found in districts. The ASA firewall is
configured fairly well. A future implementation of wireless will bring new sec
urity challenges
with 1:1 computing.


Priority

Location

Recommendation

High

CO

The AS400 and potentially other hosts with sensitive data are on the same
trusted zone as users (student, faculty, or even guest wireless). It is
recommended that a DMZ be
utilized to restrict access to only those clients
that need access, and only via protocols as required by the application. It is
not appropriate to treat general user population as “trusted”. This is a common
practice for many LEAs, however it is not recom
mended.

Medium

CO

The ASA rules need to be cleaned up. The majority of the rules deal with the
AS400. The majority of entries are consolidated with the use of object groups.
This is a good idea and allows for logical grouping. Other AS400
-
related rules
ar
e not included in the groups which make it difficult to manage over time as
rules will tend to get lost with the volume usually created over time. It is
recommended that the AS400 rules all be consolidate to (a) object groups or
(b) ordered consecutively s
o that they can be easily identified. There are a
few places where any source is allowed to connect to the AS400 on various
ports which is strongly discouraged. Details can be found in Appendix D.

Medium

All

The SonicWALL is serving as a content filter w
hich may not provide the
detailed reporting or configuration granularity required when moving to 1:1
computing. It is recommended that SCS consider a long
-
term plan for content
filtering which includes future requirements that may come from wireless and
ad
ditional users.

Low

CO

There are many rules that are not applied or not matched by traffic patterns. It
is suggested that SCS clean
-
up rules as appropriate to keep the rules clean and
improve performance. Details can be found in Appendix D.






Page
20




4.3

OA&M


SCS
has a new configuration template that utilizes proper logging, NTP, management and
monitoring
.

The SolareWinds package shows that there is already an effort to provide OA&M
functions necessary to grow into a 1:1 environment. The maintenance/support compone
nt will
need some investigation to determine if an affordable avenue is available to meet uptime and
replacement timelines.


Priority

Location

Recommendation

High

All

The vast amount of unmanaged devices prohibits monitoring and remote management
capabili
ties at many schools. SCS is aware of this issue and clearly has a plan in place with
the new design template.

Low

All

SCS

indicated that there are

no
onsite spares in the event of a hardware failure.
In addition,
Cisco maintenance may only be purchased
for core infrastructure. It is recommended that
SCS investigate risks of device failures and purchase spare/maintenance agreements as
necessary to ensure uptime requirements.

Low

All

SolarWinds is being used for OA&M which is a fine product. It appears th
at the platform
may need an upgrade. It is recommended that SCS investigate upgrade options and ensure
that the applications are configured properly to leverage full functionality
.

For example,
configuration backups should be performed on all managed switc
hes. Log rotations should
be performed daily on the syslog server. MCNC can assist as necessary to assist in this area.






Page
21




4.4

Performance & Capacity

Overall performance and capacity will need to be revisited after the Metro Ethernet upgrade is
completed. Bel
ow is a list of specific items observed while onsite.


Priority

Location

Recommendation

Medium

Several

The following ports are experiencing interface CRC/alignment errors or
excessive broadcasts. These errors would indicate a potential wiring or interface
problem. It is recommended that
SCS

reset the counters for these ports and
monitor for some period of t
ime. If they continue to increment, it is suggested
that additional steps be taken to resolve the problem (i.e. auto
-
negotiation
configurations, cable inspection/replacement, etc).

Note that not all locations had
manageable devices to obtain error statisti
s.


Flatrock 4506


FastEthernet

2
/1


WAN uplink (negotiated to 10/half)

FastEthernet 2/32


Franklin 4506

FastEthernet 3/3


Server connection


CO Catalyst
2900


FastEthernet 1 (uplink was previously to Packeteer)


CO ATI 8624

Ports 1 and 2 (interface disc
ards)

Medium

Bus Garage

Early College

Maintenance

Overall VPN performance is slow and has sustained periods of packet loss. It is
recommended that CS work with STMC to resolve performance issues.

Medium

Flat Rock

Mountain Park

These sites are on T1
links which may or may not meet the bandwidth needs of
the school. It is recommended that SCS evaluate future needs of both locations to
determine of an upgrade is necessary.



4.5

Physical Plant


Priority

Location

Recommendation

High

CO


MDF

The current
core MDF is in need of a completely new facility. SCS is already
constructing a new facility with proper HVAC, power, security and space.
The planed area is well designed and will serve SCS well moving forward.

High

All

UPS needs to be installed at the
core and school MDF locations. If budget
allows, IDFs should also be fitted with UPS systems to serve network
infrastructure. SCS is aware of this issue and will install UPS units as budget
permits.

Medium

Several

Several MDF areas were noted to be warm.
SCS is already planning
ventilation modifications to these noted areas as needed.

Medium

Several

The ‘old’ LAN environments are in desperate need of new cable plant, cable
management, network infrastructure and HVAC. SCS is already planning
infrastructure

deployments as budget permits. The new LAN environments
show that they are definitely on the right track.