FY ‘08 NETWORK PLANNING TASK FORCE 10.1.07 First Strategy Discussion NPTF Meetings – FY ‘08 2 ■ 1:30-3:00pm in 337A Conference Room, 3rd floor of 3401 Walnut Street ■ Process ■ ■ ■ ■ ■ ■ ■ Intake and Current Status Review – July 16 Agenda Setting & Discussion - September 17 Strategy Discussions - October 1 Security Strategy Discussions - October 15 Strategy Discussions - October 29 Prioritization - November 5 FY’09 Rate Setting – November 19 Proposed NPTF Meetings – “FY ’09” 3 ■ February 18-Operational review ■ April 21- Planning discussions ■ June 2- Security strategy session ■ July 21-Strategy discussions ■ August 4- Strategy discussions ■ September 15- Preliminary rates/security ■ October 6- Strategy discussion ■ November 3- FY’10 Rate setting Today’s Agenda 4 ■ Strategy Discussions ■ ■ ■ ■ Next Generation PennNet UPS for network electronics Integrated Communications Intrusion-Detection Next Generation PennNet-Gig Connectivity & Building Redundancy 5 ■ Goals ■ Gig enabled closet electronics ■ Gig to every building ■ Redundant Gig connectivity ■ Current Status ■ Approximately 60% of switches 10/100/1000 enabled ■ By the end of FY ’08, most switches will be 10/100/1000Mbps ■ 62 buildings with Gig Ethernet Strategic Approach: NGP 6 ■ Diversify the PennNet Routing Core ■ Move out of College Hall (Largest Single Point of Failure) ■ Construct 5 Network Aggregation Points (NAPs) ■ Redundant High Speed Connectivity between NAP locations ■ Highly Available Core Network Infrastructure ■ Relocate Campus Building Uplinks to Local NAP ■ Provide High Speed Uplinks to Buildings (where infrastructure can support this now, single-mode fiber/conduit build outs sometimes necessary) ■ Provide Redundancy Uplinks to Campus Buildings ■ Five Connectivity Models ■ Based on Building Criticality (University Business) ■ Number of User Connections ■ Infrastructure Availability Diversify PennNet Routing Core 7 ■ Five NAP locations completed and in operation ■ NAP locations have redundant and diverse 10 gig feeds. ■ NAPs connect local buildings that have fiber and pathway. ■ 62 buildings have gigabit Ethernet service ■ College Hall node room will house a core router for next two years (until all NAP to building feeds are in place) ■ Will reduce catastrophic disaster recovery time from 2 weeks to under 2 hours. ■ Will provide infrastructure foundation for next generation data, voice and video services. ■ Eastern NAP feasibility study pending construction timeline. Next Generation PennNet – Current Status/Plan NAP4 NORTHERN TIER SANSOM EAST WAL (G) NAP5 WESTERN TIER LEVY NAP2 CENTRAL TIER HUNTSMAN NAP3 SOUTHERN TIER MOD5 8 NAP-CH COLLEGE HALL NODE ROOM NAP1 EASTERN TIER VAGELOS Building Connectivity Models 1 & 2 (Dual Feeds to separate NAPs, each with either diverse or overlapping pathways) 9 Building Connectivity Model 3 (Each Building has 1 uplink to a separate NAP and one link to each other.) 10 Building Connectivity Model 4 (Building has 1 uplink to each Building Entrance Router in the local area.) 11 Building Connectivity Model 5 (Building has 1 uplink to a Building Entrance Router.) 12 Building Connectivity Model 5a (Building has 1 uplink to a Building Entrance Router with dual feeds.) 13 Gig Connected Buildings (Single Feed) 14 Building Code Description Building Classificatio n (Model) Primary NAP (Uplink) Second ary NAP (Uplink) Comments ACH Anatomy Chemistry 2 Modv – Gig None Optimal 2nd link to Levy BNH Bennett Hall 2 Vag – Gig None Optimal 2nd link to ModV CHV 3937 Chestnut St. 2 LEV – Gig None Remote Campus Location. CPN Colonial Penn 3 HNT - Gig None CST 3820 Locust Walk 3 HNT - Gig CUT Nursing LIFE 2 LEV - Gig DUB Dubois 2 HNT – Gig FTY 108 S. 40th Street 3 LEV - Gig None GEB Graduate Education 2 HNT - Gig None Optimal 2nd link to NIC HIL Hill House 2 Vag – Gig None Optimal 2nd link to Levy HOU Houston Hall 3 CHNR – Gig None Optimal 2 ICA Institute of Cont. Art 4 GRT – gig None Primary link goes through SPE router IST Vagelos 2 Vag – Gig None Optimal link to HNT JAF Jaffee 3 Vag – Gig None LOG Logan Hall 2 Vag – Gig None None Remote Campus Location. Optimal 2nd link to Levy Optimal 2 nd nd link to Vagelos Link to HNT Gig Connected Buildings (Single Feed) 15 Building Code Description Building Classificatio n (Model) Primary NAP (Uplink) Second ary NAP (Uplink) Comments LFR Lauder Fischer 3 SDH Router – Gig None LUK/LUS 3706 Locust Walk 4 HNT – Gig None MCA McNeil Center for Early American 3355 N 34st 3 Vag – Gig None MCP/MPY Mod 7 Facility/Muphy 4 Modv – Gig None MEY Meyerson Hall 2 Vag – Gig None Optimal 2nd link to HNT MSC Music Building 4 Vag – Gig None Optimal 2 NEB Nursing 2 Modv – Gig None Optimal 2nd link to LEV OVH Old Vet Hosp 4 Vet Hospital Router – Gig None BE Device not a Routing Device PSY Psychology Labs 2 HNT - Gig Quad Quad Complex 3 HNT - Gig None Optimal 1 link ModV, 2nd link to Levy ROS Rosenthal 4 Vet Hospital Router - Gig None BE Device not a Routing Device WTM Weightman Hall 4 Vag - Gig None Optimal 2nd link to ModV Optimal link to HNT or Vance Router Optimal 2nd link to HIL nd link to Mey st Gig Connected Buildings (Dual Feed) 16 Building Code Description Building Classification (Model) Primary NAP (Uplink) Secondary NAP (Uplink) Comments ANB/ACC Annenberg Center & School 2 BLK Blockley Hall 2 ModV - Gig CHNR 100mbps Optimal 2nd link to Levy BRB Bio-Medical Research Building #1 2 Modv - Gig HNT - Gig Optimal 2nd link to Levy BRC Bio-Medical Research Building #2 2 Modv - Gig HNT - Gig Optimal 2nd link to Levy CHM Chemistry Labs 2 Vag - Gig Modv - Gig COL College Hall 1 Vag - Gig Modv - Gig Optimal 2nd link to HNT CRB Clinical Research Building 2 Modv - Gig HNT - Gig Optimal 2nd link to Levy ENG/KIN English House/King’s Court 2 NIC - Gig HNT - Gig FKB/FBA Franklin Building/ Annex 1 NIC – Gig Vag - Gig GYM Gimbel Gym 2 NIC – Gig HNT - Gig HNT Huntsman Hall 3 HNT - Gig Vance - Gig HNW Harnwell House 2 LEV - Gig Modv- Gig HRN High Rise North (Rhodin) 2 LEV - Gig Modv- Gig HRS High Rise South (Harrison) 2 LEV - Gig Modv- Gig JSN Johnson Pavilion (Med School) 2 ModV - Gig HNT - Gig LDY Leidy Labs 2 ModV - Gig HNT - Gig MKT 3440 Market St 3 NIC - Gig Vag - Gig NEB Nursing Education Building 2 ModV - Gig HNT - Gig 2nd link goes thru Vance router Optimal 2nd link to Levy Optimal 2nd link to Levy Gig Connected Buildings (Dual Feed) 17 Building Code Description Building Classification (Model) Primary NAP (Uplink) Secondary NAP (Uplink) Comments SCC Steinberg Conference Center 3 Huntsman Router Gig Vance - Gig Both uplinks go through Wharton Routers SDH Steinberg Hall-Dietrich Hall 3 Huntsman Router Gig Vance - Gig Both uplinks go through Wharton Routers SEAS/GRW Graduate Research Wing (Moore School) 2 Vag - Gig NIC - Gig SPE Sansom Place East (Nichols) 2 NIC - Gig HNT - Gig SPW Sansom Place West (Grad Tower) 2 NIC – Gig HNT - Gig VAN Vance Hall 3 ModV – Gig Huntsman Rtr – Gig VHP Vet Hospital 3 VRB Router - Gig LEV - Gig VPL Van Pelt Library 1 Vag – Gig Huntsman Rtr - Gig VRB Veterinary Medicine Teaching & Research Building 3 ModV – Gig Vet Hospital Rtr – Gig modv2.router Gi 3/13 vhp1.router Gi 3/2 WAL 3401 Walnut St. 1 NIC - Gig Vag - Gig Diverse Feeds/Pathway WAL/ SEO 3401 Walnut St. 1 NIC - Gig Vag - Gig Diverse Feeds/Pathway WMS Williams Hall 2 Vag - Gig HNT - Gig Optimal 2nd link to HNT Dual Connected Buildings (100/Gig or 100) 18 Building Code Description Building Classification (Model) Primary NAP (Uplink) Secondary NAP (Uplink) Comments CHP Public Safety 4040 1 HNT100mbps CHNR 100mbps Both Links at 100mb FUR Furness Building 2 Vag - Gig CHNR 100mbps Optimal 2nd link to HNT GEO Left Bank 1 Vag100mbps CHNR 100mbps Both Links at 100mb HOL Hollenback 3 Lev - Gig Vag100mbps MCN McNeil Building 2 HNT – Gig CHNR 100mbps Optimal 2nd link to Vagelos MKC Market 3624 2 NIC – Gig CHNR 100mbps Optimal 2nd link to Vagelos RCB Richards 2 Modv - Gig CHNR 100mbps Optimal 2nd link to Lev Upgrade Schedule 19 http://www.upenn.edu/computing/pennnet/maintsc hedule.html Redundancy (UPS) 20 ■ As we move towards data, voice and video IP-based systems and services that all rely on electrical power, how much protection should we do and can we afford? ■ We have back up generators and UPS in the 5 NAPs. So theoretically they should not go down. ■ Building power is not 99.999 from Peco/Facilities. ■ While we do not have solid historical data, we began recording data on power outages beginning in March 2007. ■ Since March 21,2007 the campus has had 52 hours of outage due to power loss in 36 buildings. (Not including a 64 hour outage to Nursing LIFE) ■ Generally, outages are either very short (blip) or 1+ hours. Redundancy (UPS) 21 ■ It costs about $2700 per location to install UPS (assuming the UPS has 25 minutes of battery time and no other wiring closet work need to be done). ■ Cost of $1100.00 per 15 minutes additional battery time ■ Rough ongoing costs would be approximately $900/yr per location. ■ N&T manages over 600 wiring closets on campus ■ Annual cost would be about $540K Redundancy (UPS) 22 ■ Alternatively, we could just do UPS on the building routers. ■ There are only 100 of these locations. ■ Without UPS, a short electrical blink causes them to reboot, forcing a 5-10 minute outage. ■ This would mean for that duration, there would be no services that require the network including phones. ■ Annual cost $90k ■ Are you interested in this? Is it worth spending this much to protect against 25 minutes of outage? Integrated Communications (IC) 23 ■ IC involves integrating several communications applications toward improved productivity for staff, faculty and students: ■ PennNet Phone and Voicemail ■ Instant messaging ■ Desktop video ■ Linking these applications together, and to University information (online directory, calendars, etc) puts more control in the hands of our user community ■ It also allows user communication preferences to be taken into account. PennNet Phone 24 ■ Goals ■ To convert 25,000 analog voice customers to Integrated Communications (VoIP, Voicemail, etc.) over the converged IP network with added functionality and lower costs in 5 years or less. ■ Status ■ We currently have about 1400 PennNet Phone users. ■ Redundant servers and gateways ■ Full service monitoring 24x7 ■ New feature releases about twice a year ■ New phone equipment being rolled out by early 2008. PennNet Phone 25 ■ Issues ■ We have had some long-term problems with the PRIs from Verizon and the Cisco gateways that have caused known problems with transferring some calls, some caller ID, etc. ■ Next steps ■ We believe we have the PRI problems resolved. ■ We tested the new gateway code yesterday. ■ The new code release comes out in late October. ■ If all goes well, we could have improved call transfers in production in November. Instant Messaging 26 ■ Goals ■ Users at Penn report that they are using Instant Messaging (AIM, Yahoo Messenger, Skype and Google Talk) today for business purposes. ■ Our goal was to provide them with an alternative that ■ Provides improved privacy and security ■ Is able to make use of Penn identity information ■ Can be integrated with other Penn communications elements Instant Messaging 27 ■ Status ■ The same open standard, open source technology used by Google Talk, "jabber" (based on the XMPP protocol family) is being deployed and used in a pilot mode at Penn today ■ It provides controlled data path (need not leave campus when two on campus users chat) ■ It provides identity assurance (uses Penn's authentication system, and Penn's naming scheme) ■ It has so far proven to be low cost to operate and highly reliable. ■ Next steps ■ Pilot to a larger audience over the next 3-4 months ■ Full rollout at no cost to current PennNet phone and email customers by end of FY’08. Voice mail 28 ■ Goals ■ Roll out version 1.0 of new voicemail in early 2008 (possible late January). ■ Key reasons for change ■ Today’s Octel Voicemail system is old and expensive to support (vendor EOL/EOS) ■ It does not have good disaster recovery capabilities ■ In a failure, we could be out for at least 12 hours ■ Message recovery would be incomplete. ■ The new system can recover rapidly with very complete data ■ The new system is designed for the new PennNet Phone service to be used throughout Penn in the next few years ■ A migration by all users to the new voice mail system now brings us back to "one voice mail community" Voice mail Differences 29 ■ There will be differences in features and functionality ■ In some cases, the new voice mail system will be less feature rich ■ But it will allow PennNet Phone users some very advanced online access to messages and features ■ Web access to settings ■ Both telephone and email access to messages Voice mail Timing 30 ■ New voicemail is in production use now for 1400 PennNet Phone users ■ New voicemail is in pilot now for 100 campus users of traditional phones ■ For most traditional phone users, rollout is being targeted for early 2008 (possibly late January) ■ For advanced voicemail applications, migration will take place in late spring or early summer CY2008 ■ eg., Menus, Transfer Mailboxes, Listen-only mailboxes Desktop Video 31 ■ Goals ■ Easy, low cost desktop video conferencing for when audio or IM is insufficient ■ Status ■ No work being done towards a Penn service. But desktop client tools are maturing. ■ Issues ■ Maturity, complexity, cost ■ Next steps ■ Wait a little longer Intrusion Detection (Perimeter & PennNet Core) 32 ■ We deployed Arbor Networks peakflow in 2005 ■ A network management tool that provides some ID functionality for PennNet perimeter and core. ■ We use it for a wide range of analysis, including attack signatures, but also traffic characterization and ISP peering analysis. ■ We are able to share info across institutions so that we can recognize an attack before it reaches Penn. ■ Upgrades are mostly software which is covered by our current contract. Intrusion Detection (Local level/subnet) 33 ■ Host-based intrusion detection is available today for every major operating system ■ ISC is committed to having a strategy for local intrusion detection systems, as well as recommendations and product offerings before network-based IDS becomes required in any security policy. ■ It is likely that this would be in FY’09. ■ We are currently looking at a few products ■ Tipping point (meeting with them tomorrow) ■ Arbor - Peakflow x ■ Snort-widely deployed open source IDS ■ Bro-open source IDS developed at LBNL by Dr. Vern Paxson, a noted TCP/IP researcher. ■ A local IDS could be deployed alongside, and access “mirrored” traffic from, a building entrance device.