Network Architecture
Network Architecture
Mozambique Maputo One UN Inter Agency Metropolitan Area
Network Design
Page 1
Version 1
03/03/2016
William Gonzalez
Network Architecture
Table of Contents
Introduction ...................................................................................................................... 3
Solution Overview ........................................................................................................ 3
Topology Components of the MAN: ......................................................................... 4
MAN Architecture: ........................................................................................................ 4
Agency Topologies and Common Services Network ................................................... 5
Project Phases ............................................................................................................ 6
Phase 1: Create Backbone Network....................................................................... 6
Phase 2: Wimax Mesh Network ............................................................................. 7
Phase 3: Access Network......................................................................................... 8
Telephony Architecture: ............................................................................................... 9
Page 2
Version 1
03/03/2016
William Gonzalez
Network Architecture
Introduction
A Joint UN HQ and local Mozambique working group was established to deliver the first
conceptual design that will extend Common networking services throughout the
geographical area of Maputo. The Agency geographical positions in Maputo has made it
exceptional task to ensure that all the requirements are achieved.
The Metropolitan Area Network is designed to address all the requirements of all
Agencies, such as Common services network, Mobility, Vsat reduction and cost savings.
This network design will allow for seamless movement of users within the network and
guaranteeing bandwidth per Agency.
Solution Overview
This high level design illustrates how the topolgy should be implemented, covering all UN
Agency sites required and allowing a scalable infrastucture for quick additions, moves or
changes. The use of a ring topology to connect the Inter Agency VSAT provider and resilient
Common Internet service to the various agencies was inevitable due to the postions of the
proposed VSAT outstations to be used.
Backbone
UNDP
Backbone
UNICEF
Common
Ict
Services
Backbone
WFP
WHO
WiMax Area
WiMax Area
UNV
WiMax Area
WiMax Area
Backbone
Backbone
UNAIDS
UNDSS
WiMax Area
WiMax Area
FAO
UNFPA
RC
Backbone
Figure 1
The topology depicted in Figure 1 shows the proposed backbone network using backhaul links
that can be extended to a larger area by Wimax technology (extending “last mile”). These
features enable the introduction of multiple paths for all sites increasing the redundancy
characteristics of the network.
Page 3
Version 1
03/03/2016
William Gonzalez
Network Architecture
Topology Components of the MAN:

Backhaul Links , these are the main links that will establish the Backbone of the
MAN network. These links will be point to point , using Best Line of Sight (LOS) and
connect all the Agencies that will be hosting private VSAT network Services and
Internet Services . This design introduces a resilient scalable design that will allow
easy moves, additions etc. Most importantly it will provide accessibilty to the
Common ICT Network that wll host all the Common Apps in Maputo

WiMAX Areas , this technology will increase the network coverage inside the main
backbone ring and will serve to connect smaller Agencies to the MAN . The Mesh
technology provides accesibility through various paths that optimise and increase
resilience of the network. Smaller Agencies have the benefit of joining the MAN in
any Geographical postion in Maputo inside the backbone ring.

Access Network , this is where the clients connect to the MAN. Clients will be able
to connect through the original LAN cable infrastucture or the new wireless access
.Each client will only be able to conect to its own agency domain and to the Common
Services Network.
MAN Architecture:
The architecture described below addresses the requirement to extend the following networks to
the physical Agency location and addresses all the security requirements for Mobility within the
metropolitan area Network.
 Private VSAT Network
o Each agency will require a Network that must be provided by the IA VSAT
provider and is reserved for that Agency.
o This network is required to be propagated to the Physical Location of each
Agency.
o This Network needs to be supported on each backbone link, so that redundancy
is achieved for each agency.

Internet VSAT Network
o The Common Internet VSAT link, will provide ISP services to all agencies,
Upgrading of the iDirect hardware to the 5000 series will allow the provision of
guaranteed internet bandwidth per agency whilst also allowing any user to benefit
from any unused bandwidth.
o In order to deliver this guaranteed bandwidth per Agency to the agency physical
location, another Network per Agency is required on the MAN
o This Network can be provisioned locally by the Lead Agency as it will be a local
stubby network for Internet use.

Common Applications Network
o This is the Common Services network, which will host Common applications and
Country Information. This network will be available to all Agencies and be part of
their Firewall DMZ. This network has to also be propagated through the
backbone and Wimax area. Only one Network is required.
Page 4
Version 1
03/03/2016
William Gonzalez
Network Architecture

ONE UN Guest network
o Mobility within the Metropolitan network can be achieved by accessing this
network. Each client will be able to authenticate with a Radius server hosted on
the Common Applications network which will cross certificate with each Agencies
Active Directory. Once this is achieved the user has full access to its own
Agency’s network.
o This Guest network will be reachable in the whole Metropolitan network and only
one VLAN and one Guest SSID is required.
Agency Topologies and Common Services Network
Common Apps
Optional
Agency DMZ
CDP IAS (RADIUS)
Optional
Agency DMZ
Authentication Net
Agency 1
Agency 2
Hosting Internet
Vsat
Wireless
Data
Vlan
Data
Vlan
Guest
C
1
1
Internal
Internal
*
1
1
C
*
22
*
Metropolitan Wireless LAN
(Private WiMAX)
VoIP
RTR
PBX
2
1
3
VoIP
RTR
PBX
1 2 3
Guest
3
Internet
12
Data
Vlan
3
Internal
3
*
IPSec
Client
3 2 1
Wireless/WiMAX
EMC
PBX
VoIP
RTR
UN Agencies
Optional
Agency DMZ
Agency 3
(hosting Corporate
VSAT)
One-UN net – Corporate, Internet, Common and Guest Vlans
Page 5
Version 1
03/03/2016
William Gonzalez
Network Architecture
Project Phases
The project can start immediately as long as it is done in phases. Each phase should be
tested and added to the existing network. As a transitional provision existing
infrastructure that is not required in the future must only be decommissioned after the
One UN Network is complete.
Phase 1: Create Backbone Network
Phase 1 Back-haul connection and Common Srvices Connectivity
All links in blue are
existing links that can
remain till phase two
(wireless mesh network
IA VSAT 1
iDirect ISP
UNDP
Common
Ict
Services
UNICEF
IA VSAT 2
WFP
WHO
UNV
Wireless Bach haul
Backbone
UNAIDS
ISP
UNDSS
UNESCO
FAO
UNFPA
RC
Phase 1 : This phase will comprise creating the backbone network along side the existing ISP
connectivity . The bacbone will consist of 6 Point to Point links whose position is dictated by the
topograpy of the Maputo area . As described in the Satellite access section the Common Service
Network will be reachable via two separate links for all sites that can attach to the backbone
network thus providing redundancy.
Part of Phase 1 will also be to install an ISP link at the Common Services site. This will be the
transitional provision to provide access to the common services for sites that cannot be
connected during Phase 1, but have existing ISP links.
Page 6
Version 1
03/03/2016
William Gonzalez
Network Architecture
Phase 2: Wimax Mesh Network
UNDP
COMMON
ICT
UNICEF
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
WHO
im
W
ax
A
re
WFP
Wi
ma
a
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
rea
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
UNV
UNAIDS
Wi
ma
xA
RC OFFICE
xA
UNESCO
UNDSS
rea
FAO
UNFPA
Phase 2: The second phase is to establish the Wimax Mesh network that extends Access to the
backbone to the area of Maputo inside the main ring. The Mesh technology extends the
Backbone network to the smaller Agencies and provides the resilience and scalability required.
This solution compensates for any failure experienced on the Backbone.
Page 7
Version 1
03/03/2016
William Gonzalez
Network Architecture
Phase 3: Access Network
BACKBONE
MESH
BACKBONE
BACKBONE
MESH
BACKBONE
es
s
ss
Ac
c
Acc
e
CISCO AIRONET 1200
I WIRELESS ACCESS POINT
Phase 3: This phase completes the Client access to the Man network, existing Wired client
devices will seamlessly be integrated and Wireless Clients access will be provided in all WiFi
areas. The One UN Access Vlan will be propagated to all Wwireless Access points and also be
available on request on the wired network.
4. Telecommuting & general Remote access
A remote user on the public Internet may have access to his/her Agency’s network thru
VPN tunnels established using IPSec. This could be done either having the tunnel
established to the firewall where the ISP terminates or to the firewall of the user’s
agency network. In the former case, the tunnels have to be configured by the “ISP
agency” and will not need any additional public IP addresses. However, in the latter
each agency will have full control on the configuration of tunnels for its users, but will
require a few number of public IP addresses (about the number of agencies – double if
High Availability is needed) from the ISP (not from EMC).
Page 8
Version 1
03/03/2016
William Gonzalez
Network Architecture
Telephony Architecture:
The IA Vsat solution already provides Voice On/Net and Off/net services to Agencies ,
these services can be extend to Inter Agency voice communication . The Service
provider will be engaged to provider Inter Agency calling abilities by modifying their
Voice call processing system
Agencies that do not have services to the PVT Vsat network can get voice services
through the Globecom I direct Vsat solution. For off/Net dialling only.
There are initiatives of linking the PVT Vsat Voice system to the I Direct provider; if this
is achieved then end to end dialling from any agency to any other Agency will be
accomplished.
UNDP *n Remote sites
1. Customer A PABX requests an offnet call, and contacts the Cisco
GateKeeper
2950 switches, trunked
together. One VLAN per
Agency
RTP
Call setup traffic flow
VOICE RTP
Stream
Customer
PABX
2. Cisco GateKeeper serves on-net
calls. For off-net calls *only* it signals
the IP-IP gateway
UNDP *n Demods
WHO *n Demods
UNICEF *n Demods
Customer
PABX
WFP
OCHA * n Demods
Cisco GateKeeper
(serves on-net calls,
signals to the IP-IP
gateway for off-net calls)
site
UNDPKO *n Demods
4. Customer B picks up the call and a
Voice RTP steram is established
between A & B
Satellite
Modems
3. Call processing complete sthe
second leg and send the call
signalling to appropiate Agency and
office
EVPN
EVPN CE
Cisco IP-IP Gateway
for off-net calls
EMC German
Teleport/Hosting Centre
Page 9
Version 1
03/03/2016
William Gonzalez