High Performance Network Analysis Enterprise Operate Practice Cisco Services Andrew Wojtkowiak – Network Consulting Engineer © 2011 Cisco and/or its affiliates. All rights reserved. 1 • Background Cisco Services performed an assessment of the wired infrastructure to serve as a holistic health check of the University Corporation of Atmospheric Research network • Goal of the assessment To identify immediate remediation needs Provide Opportunities for network improvement © 2011 Cisco and/or its affiliates. All rights reserved. 2 Background And Key Areas Assessed © 2011 Cisco and/or its affiliates. All rights reserved. High Level Findings Executive Level Findings Remediation Steps Strengths and Concerns Encompassing Projects Looking Forward 3 • The High Performance Network Analysis (HPNA) was performed to assure the stability of the core routing and switching infrastructure • Performed as a holistic network health check • Emphasis placed on Availability and Resiliency with the Campus environments • On-site interviews and data collection • Analyzed ~80 devices as part of the HPNA • Collected detailed network data such as topology diagrams, software, network standards, protocols, etc… © 2011 Cisco and/or its affiliates. All rights reserved. 4 • Network Topology • Protocol Resiliency • Network Service Resiliency • Hardware and Software © 2011 Cisco and/or its affiliates. All rights reserved. 5 © 2011 Cisco and/or its affiliates. All rights reserved. 6 • Dedicated and professional network staff Everyone we worked with was very open, professional and accommodating • Excellent Hardware and Software replacement strategies Hardware and Software is kept up to date and staff is knowledgeable of bugs and vulnerabilities • Change Management Process Well documented and followed change management process • Individualized tools for Network Management Tools for deployments, configurations, backups, and management © 2011 Cisco and/or its affiliates. All rights reserved. 7 • Single Points of Failure Increased risk of a pervasive network incident; scalability and availability concerns • Process Documentation Lack of formal process to follow. No repeatable steps that all team members can use. • Global Configuration Templates Templates will help reduce configuration inconsistencies and ensure services are configured according to policy • Configuration Inconsistencies Increased time to repair due to troubleshooting overhead; decreased network security; compliance risk © 2011 Cisco and/or its affiliates. All rights reserved. 8 • A few single points of failure TCOM switch for internet connectivity Foothills Lab secondary switch NWSC second switch • Major risk with TCOM Higher latency backup • Foothills under • Foothills and NWSC would limit connectivity from those locations to the rest of the network. construction, second switch in move • NWSC secondary switch is being considered © 2011 Cisco and/or its affiliates. All rights reserved. 9 © 2011 Cisco and/or its affiliates. All rights reserved. 10 • Processes are well defined by the individuals who perform the tasks Software and Hardware replacement Standards for implementing new devices • No actual defined • Only certain people are well versed in processes • Not easily reproducible • No defined steps for changes • Allocate time to turn processes into documentation • Allocate someone to review the documents • Keep them up to date as they change. documentation © 2011 Cisco and/or its affiliates. All rights reserved. 11 Total CatOS Summary Cisco 6500 Series Switches IOS 12.2(33)SXH3 1 8.4 33% 12.2(33)SXH4 2 3 1 15 8.6 8.6 67% 8.4 5 2 12.2(33)SXH8 12.2(33)SXI4a 12.2(33)SXI5 12.2(33)SXI6 12.2(33)SXI8a All CatOS has reached End of SW Maintenance, and will no longer receive attention with regards to defect or security vulnerability patching © 2011 Cisco and/or its affiliates. All rights reserved. 12 • Configuration standards are adhoc; without formal documentation • No way to perform configuration compliance to a template* • Number of configuration inconsistencies and errors • Network unpredictability • Potential increased troubleshooting overhead and operational difficulty • Prolonged loss of connectivity and service interruption to critical applications • Increased exposure to security vulnerabilities • Increased cost associated with operating the network (Protocol, Service, Security) © 2011 Cisco and/or its affiliates. All rights reserved. 13 • HSRP inconsistencies • Partially configured advanced spanning tree features • Optimize/Standardize Spanning-tree priorities • OSPF passive interface © 2011 Cisco and/or its affiliates. All rights reserved. • Some routers do not have a peer • Possible loops or rouge switches influencing the network • Routing updates are not limited • Implement changes to the network to remediate the smaller configuration inconsistencies • The standard templates will assist in ensuring fewer deviations from standard. 14 © 2010 Cisco and/or its affiliates. All rights reserved. 15 • Three buildings connected in a partial mesh topology • Collapsed connections to each other • Port density growth at N*(N-1) rate for every new building • Lack of modularity and scalability • Large fault domains across all buildings • Network disruption and outages • Increased troubleshooting overhead © 2011 Cisco and/or its affiliates. All rights reserved. • Quantifiable cost increase in both capital and operational expenditure Cost to Add 4th Building Nx(N-1) = 12 Ports (6 Links) Additional Capital Expenditure associated with running fiber Additional Operational Expenditure associated with design complexity 16 Current Topology - No Core • Fully-meshed distribution layers • Physical cabling requirement • Routing complexity © 2011 Cisco and/or its affiliates. All rights reserved. 17 Center Green Mesa Lab Foothills This leading practice hierarchical design has been proven to: New Location Promote easy growth and ease of troubleshooting Reduce capital and operational expenditure Create small fault domains Dedicated Core Promote deterministic traffic flows Dedicated WAN / Internet Switch Block Research Networks Internet © 2011 Cisco and/or its affiliates. All rights reserved. Enable logical and physical topology mapping TCOM/FRGP Firewalls 18 • Monitoring facing the Internet Intrusion Prevention SPAN Sessions to security team • Extensive ACLs on core switches • Limited methods to log and account for network incidents • Increased CPU usage on switches • Create method to evaluate internal ACLs routinely • Consider Control Plane Policing for basic router/switch services Routing Switching • No Control Plane Policing to protect devices © 2011 Cisco and/or its affiliates. All rights reserved. 19 Correlating business impact (risk reduction) to ease of execution and exemplar implementation time High priority > year 9months Must Do – Reduce Risk 0-6 months Quick Wins – High Business Impact 1 2 Project List: 1) Remediate single points of failure 2) Create, utilize and maintain global configuration standard templates 3) Create, utilize and maintain process documentation 4) Remediate configuration inconsistencies within the network 4 Very Hard Easy But Low Return 3 Low priority More complex to implement © 2011 Cisco and/or its affiliates. All rights reserved. Easy to implement 20 © 2011 Cisco and/or its affiliates. All rights reserved. 21 Thank you.