About
Network Architecture Principles
Network Architecture Technical Standards
Help

About:

Network Architecture principles represent the highest level of guidance for network planning and decision-making. Principles are simple statements of the University’s beliefs about how it wants to use networking over the long term (two to five years in the future). They provide the primary linkage between business strategies and network technology strategies, and thus between the administration and management of the technology providing division. Principles are derived from business goals and corporate values. They formalize a commitment by upper management to make investments in the network infrastructure. Three categories of Principles - Management, Vendor, and User - are presented for guiding current and future development of the network.

Network Architecture Technical Standards work in conjunction with Principles to create a uniform system. Standards are predetermined rules, which assure uniformity during the design and implementation phases of a new network infrastructure. The technical standards included in this document present those technical approaches that afford the best opportunity to meet the management principles and goals of the University.

Network Architecture Principles:

Management Principles
Vendor Principles
User Principles

Management Principles (4)
Management Principles define how an organization addresses the use of networking from a business standpoint. Issues include the acceptability of technological risk, the use of network services to differentiate Georgia State University, the degree to which technical investments are expected to position the University for the future instead of merely fitting existing requirements, the importance of cost control, and the criteria for change.

1. We will deploy only those technologies and services that are mature and have been proven in higher education or comparable industry environments.

   Implications
   New technologies and services would NOT be implemented until after they are proven to be successful in order to:
   · Minimize risk in the near term, reduce learning curves for faculty, staff, and students.
   · Minimize internal technical support requirements.

   Pros
   Reduces costs in the short term (and perhaps in the long term) by avoidance of investments in technologies or services that are not proven.

   Cons
   May lose some standing to early adopter Universities and those more willing to make investments in new, unproven technology.

2. The network will be an enabling infrastructure with the flexibility to support all current and unforeseen future applications.

   Implications
   Predict and build network capability in much the same way as utilities, structure and highway systems are built ahead of actual demand, but recognizing that the network will be critical to the development and sustainment of new campus areas or new instructional offerings.
   This position indicates a belief that video and interactive customer applications may happen sooner rather than later, and anticipates attendance-generation from these applications.

   Pros
   · Network could accommodate new applications and campus growth at a rapid rate.
   · Educators would not have to worry as much about network constraints in developing new course offerings.
   · Researchers may be able to experiment more with new applications and may discover new uses of the network that would not be obvious.

   Cons
   ·Total network expense would be higher because capacity would be built that may not be currently (or ever) used; i.e., "waster" bandwidth.
   · Network management could be more difficult because the deployment of the new technology generally overlaps the need to continue legacy technology.

3. Network Design decisions are all made at the enterprise level.

   Implications
   The central network management agency (UCCS) has the best information for making the decisions across the enterprise. This makes for easier overall management of the network in that it has the efficiency of a single decision maker. Enforcement of standards is easier here since installation and operations are centrally administered or procedures are centrally developed and distributed.
   

   Pros
   Decisions can be made more quickly.
   · Clear understanding and coordination of network-wide actions
   · Network management is easier.
   · Network costs are easier to derive and allocate.

   Cons
   Variations in departmental requirements may be harder to implement.
   · Responsiveness to users may be harder to achieve.

4. Network services will be provisioned on the basis of perceived value or future needs.

   Implications
   This principle focuses on the business rationale for having a network. In the Georgia State University case, the network exists and is being upgraded in anticipation of the applications and uses it will serve. This is analogous to a highway system that is expanded with additional lanes before additional traffic has materialized to use them.

   Pros
   Allows departments and colleges to quickly implement products and services without having to wait for the infrastructure to be built to support the new application.
   · Can be a very exciting place for networking professionals to work, given that they are challenged to implement services and technologies that are closely tied to business goals, but ahead of when they are actually needed.

   Cons
   The rate of change in networking technology makes it difficult to anticipate the future, ahead of demonstrated business need.
   · Deployment of network technology before a demonstrated need may incur unnecessary costs.

Vendor Principles (4)
Vendor Principles address aspects of network technology procurement and dealings with vendors. They address issues such as preferred vendors, degree of vendor independence, or degree to which partnership arrangements are acceptable.

1. We will select strategic vendors and, where possible, we will buy from those vendors.

   Implications
   Future identification of strategic vendors will be based on the fit of supplied technology with the architectural direction of the Georgia State University network.

   Pros
   Interoperability is eased at least for the products from same vendor.
   · System integration help is usually available at no cost or as a part of the purchase price of the hardware or software.
   · Total costs may be lower because of the lack of integration costs.
   · When network downtime or performance problems are encountered, "finger pointing" can be reduced with fewer vendors.

   Cons
   If vendor is not tracking mainstream or current technologies, the enterprise may find itself in a technological "dead end."
   · Due to lack of competition, prices may go up once the enterprise is locked into a particular vendor.
   · Exploiting new technologies that may be a high leverage technology for the enterprise may be very expensive to integrate from a vendor outside the strategic one.

2. We will select individual types of product or service based on "best of breed."

   Implications
   UCCS functions as the enterprise system integrator and this role increases the requirement for in-house talent; some of the "best-of-breed" hardware and software may never have been integrated in the past. Furthermore, after the physical integration is complete, it may be difficult to fully monitor or control the network.

   Pros
   Permits the enterprise to have the best possible type of product or service in each category.
   · Keeps the enterprise on the leading edge of networking technology.
   · Prevents being locked into one provider who may fail or who may not have the needed capabilities.

   Cons
   Can make network management and staff training more difficult due to multivendor environment.
   · Network complexity may be higher because of gateways and/or conversion boxes.
   · Difficult to fix blame when problems arise, due to "finger pointing" by the various network participants.

3. We will not implement single-vendor proprietary technologies that limit choice in the marketplace.

   Implications
   This principle puts flexibility and interoperability ahead of implementing "bleeding-edge" or even much leading-edge technology since, in most cases standardization follows the introduction of new technologies. This limits the ability of the enterprise to take advantage of some value-added product features that may be vendor-proprietary, even if these features might offer a competitive advantage or reduce costs.

   Pros
   The use of industry-standard products will allow training and support costs to be lower.
   · Acquisition costs would be lower since there is competition in the market for the device, software or services being sought.
   · The technology employed would be proven to a certain extent, since multiple vendors have introduced products that are interoperable.

   Cons
   The enterprise may miss out on networking technology that might provide it competitive advantage.
   · Lower cost or more efficient solutions may be bypassed because they are not supported by multiple vendors/suppliers.

4. We will only buy from well-established vendors with large market shares.

   Implications
   This principle says bigger companies with an established track record are better, more reliable, and less risky. However, adopting such a principle can be quite limiting since it precludes taking advantage of the large number of innovative new venture-funded startup vendors, as well as new carriers/network service providers.

   Pros
   Major suppliers have established channels and inventories that can ensure that customers get on-time delivery of products or services.
   · Administration of vendors is easier because there are typically fewer of them with larger, "mature" vendors.
   · Less risk of the vendor going out of business or dropping a product line, leaving the enterprise with unsupported products.
   · Mature vendors typically have a better developed service and support infrastructure.
   · Large market share equates to large market acceptance and therefore higher likelihood of 3rd-party vendor support or ancillary products/services.

   Cons
   Prices may be higher in some cases due to the overhead needed to maintain inventory and administrative staff.
   · Attention and support may not be as personal as it could be from a small startup firm with fewer customers.
   · Well-established vendors usually are slower to introduce new products, because they have to worry about compatibility with an installed base of products and customers.
   · Well-established vendors are susceptible to business failure, merger or acquisition

User Principles (5)
User Principles deal with end user issues such as: the network services provided, the amount of power that the user has in defining his/her applications and use of the network, the responsibilities of the users in participating in the network infrastructure, the degree to which users may be expected to adopt new networking technologies and the types and levels of service that the user may expect.

1. All employees and applications must use the University-provided network facilities.

   Implications
   This principle will keep individual departments, divisions, or other business units from being able to outsource their network services, and may require them to pay to use the enterprise's own network. Forcing everyone to use the enterprise network ensures that there are enough users to pay for the enterprise network.

   Pros
   Aggregate corporate costs may be lower due to economies of scale.
   · Ease of administration, training and support when the enterprise supports only one transport network.
   · Having everyone on the same network may facilitate cross-department communication and tighter working relationships between departments or colleges.
   · Keeps users from "defecting" to outside network services and creating an underutilized enterprise network with no one to pay for its use.

   Cons
   Corporate "one size fits all" system may not be responsive to the needs of some departments or end users.
   · Support costs may be higher if some of the technology is not mainstream.

2. Network administrators and security managers must be actively involved in planning all new applications and uses of the network.

   Implications
   This principle protects the network from applications, devices, or networked computers that are not good "network citizens," i.e., those that consume network resources that need to be available for other network users. An application approval process should require all new applications be run in a lab or under a controlled environment before being permitted to be run on the live network.

   Pros
   Reduces network crashes due to unexpected network congestion conditions.
   · Ensures that critical applications get network resources when needed.
   · Enables cataloging of network applications for risk assessment or network management.
   · Reduces costs as unnecessary applications are precluded from consuming expensive bandwidth.

   Cons
   Testing and approval increases time-to-implement new applications
   · Difficult to enforce.
   · May reduce innovation, since experimentation is discouraged.

3. Network Moves, Adds, Changes will be charge back activities.

   Implications
   This is the fee for service model. All customers are provided with basic network connectivity. Requirements for relocation, renovation, and additions of network connections are borne by the requesting customer.

   Pros
   Administrative, hardware and contractor costs for customer discretionary changes to network connectivity are paid solely by the customer.
   · Requests for service changes are kept to a minimum conducive to department operation requirements

   Cons
   Perception that network is not a centrally funded service
   · Difficulty is getting customers to identify, plan and budget for connectivity changes
   · Difficult to determine cost sharing for major changes to connectivity
   · May not provide the most cost effective solution for entire building infrastructure.

4. The network will provide uniform service levels as much as possible.

   Implications
   This is the egalitarian model. All in the enterprise (regardless of building or metropolitan area location) have equal access to the network and its services with similar response and reliability times.

   Pros
   Reduces the cost of applications development, since developers don't have to create multiple versions for users with different levels of network service.
   · Providing higher bandwidth in many underserved geographic areas facilitates group collaboration and contributes to productivity.
   · Avoids complaints that users in certain geographic areas are poorly served by the enterprise network.
   · Permits more-rapid deployment of new bandwidth-hungry applications without regard to variations in the ability of the network infrastructure to support them.

   Cons
   Can be very expensive, particularly if this principle is applied to geographic regions with poorly developed carrier infrastructures or lack of competitive carriers.
   · May be unnecessary for the type of work being performed in various regions, adding unnecessarily to network costs.

5. User impact is the primary consideration in making changes to the network.

Implications
This principle emphasizes that the network exists to serve the user -- that the user is central to network activities. Upgrades in services and interruptions are planned to minimize user impact, even if this may result in slower deployment of new enterprise products or services. Example disruptions include: planned network outages to upgrade router software, replacement of NICs/LAN adapters in personal computers, installation and testing of new facilities, etc.


Pros
Training costs for users are reduced, as changes are minimized.
· Users may be more become more reliant on the capabilities of automation when it is more stable.

Cons
Important changes to the network may be deferred, thereby affecting productivity, and time-to-market for new products and services that are network-dependent.
· Some users may be forced to use lesser network capabilities because upgrades are delayed.

Network Architecture Technical Standards (37):

1. The Internet Protocol (IP), in particular IP Version 4, is the single network protocol of choice for the University network.
   
   Position: IP has rapidly become the leading "open" network protocol, with its use far outweighing all others. It is the protocol upon which all Internet communication is based; its use leverages developments in intranet and Internet communities.
   

   Due to the popularity of Internet/intranet technology and applications that utilize TCP/IP, the majority of new networking and applications products include support for the TCP/IP-related protocol APIs. Indeed, many new networking and applications products are being introduced that support only these APIs. Most vendors have transitioned their products from proprietary protocols to TCP/IP, thus providing encapsulation of other protocols for transport over IP, or providing gateways to convert other data streams and protocols into those of the IP protocol stack. For example, Novell gives NetWare users a choice of protocols, with native support for TCP/IP implemented in NetWare software products. Apple Computer's Open Transport strategy permits all Macintosh applications to use TCP/IP as an alternative to AppleTalk for functions such as print and file services, without rewriting applications. Moreover, a wide variety of products permit SNA to run over TCP/IP networks, and IBM supports TCP/IP on its mainframe computers.

   Quality of service is emerging as an important feature for IP networks as voice over IP and SNA over IP are being implemented. The techniques for providing quality of service in these situations are still evolving, but are proving to be sufficient for most applications.

   As demonstrated by the growth of the Internet, the TCP/IP protocol suite and its associated routing protocols (e.g., OSPF, BGP4) can manage far greater growth than has been demonstrated by any other network protocol. In addition, because of its U.S. Department of Defense origins, the IP protocol suite was designed to provide reliable communications in rapidly changing environments over relatively unreliable hardware; it is performing well under the explosive growth of the Internet and is being refined to provide even better reliability. Specialized high-availability ISP and carrier IP network services offerings are now being offered and will be expanded in the future.

   As the primary network protocol of the Internet, of UNIX, of Windows, and of the world's universities, the TCP/IP suite is understood by most network and applications programmers and is being incorporated into most new designs. It is now the most widely supported of all protocols in terms of training and staff, and network management software products that integrate support of the protocol with that of the applications are appearing because of market demand and vendor consolidation. In addition, use of a single network protocol (i.e. IP) greatly eases configuration and administration of routers and routing-aware LAN switches.

   As IP-based backbone networks become increasingly common, techniques have been developed for virtually all other protocols to be carried by IP. Although there will always be situations in which certain protocols cannot be carried by IP, these are typically older legacy protocols, not protocols used in current development. These legacy situations can be anticipated and handled in numerous ways by the enterprise network. For those cases in which a protocol other than IP must be routed, most routers can carry protocols other than IP with some additional complexity in router configuration and overhead. Therefore, a gradual migration from many protocols towards IP is possible without the need for abrupt change in users of the network.

2. Publicly Registered IP Addresses will be used.
   
   Position: Georgia State University owns sufficient public address space to meet its current and future requirements if it is conservatively managed. Public addresses are preferable to private addresses for a variety of reasons, including issues in connecting privately addressed networks across the public Internet, and in connecting two privately addressed networks that make use of the same address space.
   
   Even with public addressing, CIDR should be used to maximize network assignment efficiency, provide addressing flexibility, and enable address significance. CIDR boundaries must be established to maximize IP address summarization to minimize routing updates and routing table sizes.
   
   
3. DHCP will be used to obtain network configuration information at boot up for all Windows, Macintosh and Unix workstations on campus. Systems being used as servers will be registered with the DHCP server, but may use static networking information.
   
   Position: DHCP provides campus workstations with dynamic configuration data that is pertinent to the operation of the workstation. This includes such items as IP-Address, network mask, gateway, DNS server, WINS server, etc. By using DHCP, it is possible to make changes to these services and the underlying network infrastructure without having to visit each workstation. All stations/servers that are statically coded will have to be individually reconfigured by hand when any of these services or network infrastructure changes.
   
   A centralized management tool generally provides for DNS/DHCP integration using Dynamic DNS, and allows organizations to tightly control IP address assignments to prevent conflicts that arise when the same IP subnet is assigned to multiple locations. In addition, a centralized IP address management tool allows the organizations to quickly obtain snapshot reports that show address utilization and availability. Centralized IP address management tools are generally used as a repository for IP address and user information that will be necessary for the successful deployment of policy-based and directory-enabled networking systems.
   
   Manual address assignment is recommended for network devices such as routers and switches. This is primarily due to the requirement to assign static IP addresses in order to effectively populate network management platforms. In addition, manually assigned "loopback" addresses are often used to control OSPF "designated router" assignment, as well as to provide a continually available way to reach key devices via telnet or other management application. Manual address assignment will also be used for key host systems, where applications or security policies may require that the IP Address assignments remain fixed at all times.
   
   Static address assignment may also be used for assignment of IP addresses to servers. The primary reason for this approach is to guarantee that publicly available server addresses never change in order to simplify firewall and network prioritization management.
   Manual IP Address assignment is not intended to be a general solution for any class or type of workstation and can cause problems when widely employed. For example the manual assignment of IP Addresses negates the ability of the centralized networking support staff to make user transparent changes to the networking infrastructure when growth and other factors dictate that the structure must be changed.
   
   
4. Domain Name Service will be provided for name-to-address lookup. Dynamic DNS will be deployed to integrated DHCP and DNS servers.
   
   Position: As the Internet has developed, the Domain Name Service has become the standard method for mapping IP address assignments to common English names. With Windows 2000, Microsoft has also embraced DNS as the naming standard for Windows 2000-based networks, rather than the older Windows Internet Naming Service (WINS).
   
   Georgia State University will continue to use DNS in much the same way as they already have. The top-level domain name "GSU.EDU" is registered with the Internet NIC (Internet Network Information Center).
   
   
5. The Open Shortest Path First (OSPF) protocol will be used for path calculation and network topology updates among all Campus IP network routers.
   
   Position: OSPF improves on the capabilities of both RIP and IGRP; it is an industry standard and virtually all vendor routers likely to be used by the University support it. In our current multivendor environment OSPF will allow use of one routing protocol for all routers, simplifying administration, troubleshooting and training.
   
   The University will not support multiple backbone protocols such as IPX, AppleTalk, XNS.
   
   

6. Layer 2 Ethernet switches with support for enhanced features will be used for desktop access connectivity.

   Position: Many Layer 2 switches are now able to examine Layer 3 information in order to make forwarding decisions based on pre-configured policies, or to participate in IP Multicast groups. In addition, Layer 3 "snooping" can allow Layer 2 switches to enforce access control or to mark packets for a particular IP port number or IP address for a higher level or priority using 802.1 P/Q tagging or by setting the IP TOS bits.
   

7. Layer 2 Switches will be used for server farm access connectivity.
   
   Position: Layer 2 switches will be used for applications in which server access must have a high level of resiliency, or for applications that require IP QoS features such as the ability to mark the TOS field.
   
   

8. Layer 3 Switches will be deployed within the campus backbone, with software-based routers used for WAN connectivity.
   
   Position:  Within the site/campus backbone, there is no longer a choice as to the best type of device to deploy. Layer 3 switches should be deployed for all current and foreseeable situations.
   
   The only decision one has to make when considering Layer 3 switches is performance capability. Many current Gigabit Ethernet switches do not have sufficient backplane throughput to support full wire-speed on all Gigabit Ethernet ports. However, in most cases, actual bandwidth demands are far below the theoretical maximum that the switch can support, so in most environments this is not an issue. However, as bandwidth demands increase, network managers will have to understand the limits of their backbone switches to ensure that they are not being overutilized. Fortunately, many new products can indeed provide full non-blocking, wire-speed performance for all Gigabit Ethernet ports.

9. WAN access will be provided via an edge router.
   
   Position:  The most straightforward way to connect to PeachNet and Internet2 provider networks is via a router on the campus premises. This link will be IP.
   
   
10. 802.11b/g WLANs will be used.
    
    Position: If rapid deployment, temporary deployment, high cabling cost, or difficulty in wiring are issues that make a wired LAN installation difficult or not cost-effective, wireless LANs are an attractive alternative to a wired infrastructure (that is, no wired LAN will be installed except to link the access points to a router). Departments or divisions might encounter situations in which the type of building construction or the inability to gain a construction right-of-way blocks cable installation. Alternatively, a need may exist for a temporary network connection for a special project. Wireless connections are useful for these scenarios.

    An access point will provide WLAN connectivity through most walls at distances up to approximately 150 feet. Each PC will need a wireless LAN network adapter card. Most manufacturers make network adapters for Industry Standard Architecture (ISA), Peripheral Component Interconnect (PCI), and PC Card computers, so users can connect virtually any desktop or notebook PC to a wireless LAN. Some vendors also offer serial, parallel, and Universal Serial Bus (USB) wireless connection units; these allow administrators to connect printers, scanners, and other peripheral equipment to the wireless LAN.

    The currently popular IEEE 802.11b wireless LAN standard nominally supports only 11 Mbps of raw bandwidth, which can drop to as little as 1 Mbps or 2 Mbps near the edge of a WLAN access point's coverage area. Thus, wireless LANs as a complete substitute for wired LANs not appropriate.

    Wireless devices will operate as an adjunct to the existing Ethernet LAN. The Access Point (AP) connects to the existing LAN via an Ethernet connection and provides wireless connectivity for all the registered wireless devices within 200 to 500 feet. Depending on the size of the coverage space, some LANs may need more than one AP.

11. Devices that support LAN, MAN, and/or WAN backbone connectivity should contain redundancy features designed for 100% uptime.
    
    Position: Communications equipment that is critical to supporting University IP communications should contain redundancy features that maximize the availability for that device. Examples of devices in this category are:

    LAN backbone switches: The LAN backbone switch will be used to interconnect many Ethernet switches, provide a link to a WAN access switch, and furnish LAN links to servers.

    WAN Router: WAN routers are responsible for all WAN access for a site and provide interconnection to some of the campus backbone switches.

    A hardware maintenance support contract should be used to provide replacement parts and on-site service.

    The location of this equipment is also crucial. Networking devices are typically consolidated within a single room that also includes a fairly large amount of equipment. This collection of equipment can generate thousands of British thermal units (BTUs) per hour of heat. The equipment room should be air-conditioned 24 hours a day to keep the room between 65 degrees and 80 degrees Fahrenheit. Clearly the room temperature, as well as internal temperatures on individual devices, should be monitored and alarmed for overheating protection.

12. Spare equipment and redundant power supplies should be used to provide redundancy for closet devices.
    
    Position: The most common devices within this category are LAN desktop switches. For these devices, the most common failure is a power supply or a single module within the chassis. Rarely will all of the modules within a chassis fail at the same time; however, a higher probability exists for a single module failure.
    
    
13. Each LAN backbone switch should interconnect to at least two other LAN backbone switches to provide redundant paths for communications with the campus or building. In addition, diverse routing should be used for the cabling supporting those separate connections, especially for building-to-building connections within a campus.

    Position: Diverse cable routing protects against cable cuts by technicians, users, and backhoes that might adversely affect network health. Multiple connections between the switches/routers should be used to protect against a port failure or bad cable.

    It should be noted that if the LAN backbone is comprised of Ethernet switches, the second connection will not be load-sharing traffic, but will be just a standby. Since the spanning tree algorithm allows only one active path from point A to point B in an Ethernet network, the second link will become active when the spanning tree algorithm recalculates the paths through the network based upon a link failure.

14. "Server farm" LAN switches/routers, load balancers, and WAN access devices should have two connections to the LAN backbone, using "dual-homing" to separate LAN backbone switches/routers.

    Position: To provide redundant communications from each "server farm" LAN switch/router to the LAN backbone switches/routers, a combination of dual-homing the server farm or desktop switch/router to two backbone switches/routers along with diverse routing of the cable supporting those connections should be used where possible.

    Dual-homing of the connections protects against a hardware failure within a backbone switch/router by providing an alternate backbone switch/router to maintain connectivity. Diverse cable routing protects against cable cuts-by technicians, users, and backhoes-that might adversely affect network health.

15. WAN access redundancy is required for connection to the Internet. Diverse connections will access separate media and service provider networks.
    Position: The WAN connectivity for the University should use connections to two or more different physical paths or dual local loops. This will provide for redundancy in the backbone as well as in the access portion of the network.

    Dual WAN connections from separate LAN backbone switches/routers protect against a hardware failure within a backbone switch/router by providing an alternate backbone switch to maintain WAN connectivity. With routers in the LAN backbone (rather than Layer 2 switches or bridges), both WAN links may be active and load-sharing.

    The WAN access lines should be installed using diverse routing to the PeachNet and SOX connection points, to reduce the possibility of a cable cut within the local loop (also known as "backhoe fade") breaking both links.

16. Networking components in the campus backbone will have redundant internal power supplies and an external UPS.

    Position: Any equipment in the network that supports the campus backbone will have dual redundant power supplies. Hardware that does not permit redundant power supplies may not be suited to these locations unless a second unit, preconfigured on hot standby, is also installed.

17. Devices that provide a control function or deliver a service required by users to establish or maintain network connections shall be fully redundant.

    Position: There are many possible services that fall in the resource and control category that are just as critical to communications as the transmission equipment. Communicating devices on the Internet or an IP intranet generally cannot operate without DNS. The large enterprise nature of the University requires dual replications as a minimum to ensure not only 100% uptime, but sufficient capacity for large numbers of connection establishment requests.

    DNS servers provide continuously required service. The usual redundancy is to duplicate servers, creating at least a primary and a secondary server. These servers may be load sharing; DNS software often ensures that the secondary unit mirrors the content of the primary at all times. As devices are added to the intranet, the person responsible for DNS entries needs to create records only on the primary server-mirroring will then update the secondary.

    The same precautions apply to policy servers, firewalls, and authentication servers.

18. Gigabit Ethernet or 10 Gigabit Ethnernet backbone links will be used between switches and routers.
    
    Position: The most popular and least expensive way to link LAN switches and routers together will be to use some type of Ethernet, at either Fast Ethernet (100 Mbps) or Gigabit Ethernet (1000 Mbps) speeds. Because Ethernet trunks are point-to-point links, Ethernet collision detection can be turned off and these backbone trunks will be able to run in full-duplex mode, effectively doubling bandwidth. While shared-media Ethernet with collision detection turned on cannot normally exceed 30% utilization without suffering reduced throughput, full-duplex Ethernet with collision detection turned off can routinely exceed 80% utilization before throughput begins falling off.
    
    The "duty cycle" associated with typical PCs or workstations is relatively light, i.e., workstation users don't come close to generating full wire speed traffic rates on all links simultaneously. Average traffic utilization on an access link (each with only a single user) is usually far below 10% during business hours. Thus it is reasonable to design the network so that the sum of the access links far exceeds the throughput of the backbone trunk serving the switch (otherwise known as "oversubscription"). Rather than switch capacity, the limiting factor at a desktop LAN switch is usually the speed of the trunk between the switch and the rest of the network (e.g., 100 Mbps for Fast Ethernet).
    
    With most workstations and servers utilizing dedicated, switched, Fast Ethernet links for network access, a single Fast Ethernet backbone link for each desktop switch/router may prove to be inadequate. Thus most desktop switches/routers will need the capacity of a Gigabit Ethernet link to the backbone.
    
    
19. (RESERVED)

     

20. Enhanced Category 5 (CAT5E) UTP will be used for horizontal cabling and for patch cables between cable termination points and network electronics.
    
    Position: Enhanced CAT5 is relatively inexpensive, easy to install, and more resistant to environmental abuse than either coax or fiber. An investment in CAT5E for horizontal installations will also provide ample bandwidth for the multimedia applications of the future, since CAT5 supports 10 Mbps Ethernet, 100 Mbps Fast Ethernet, and 1000 Mbps Gigabit Ethernet.
    
    When installing cabling to a potential end device termination point, a minimum of two 4-pair CAT5E cables is specified in the GSUNet2 documentation to each wall socket in support of both voice and data requirements. Since the communications enabled by the wall socket is determined by the network electronics, with a quick switch at the IDF, any wall socket can serve data or voice communications.
    
    There are a few minor exceptions to the use of CAT5E UTP:
    • Fiber optic or screened twisted pair cabling may be necessary to support horizontal cabling in places where EMI/RFI is extremely high.
• Multimode fiber may be required to support horizontal cabling where the density of end devices is so low that it is more cost effective to pull the fiber over long distances (e.g., greater than 100 meters) from a single IDF to the devices than to establish multiple IDFs within the building.
• Fiber, like coax, is too delicate for "exposed" use (i.e., areas where personnel access is not limited to those with keys to the wiring closet). Fiber-optic media and connectors are too fragile to be subjected to the wear and tear of plugging and unplugging at peripheral and desktop connections. However, the most important reason for avoiding fiber to the desktop or for horizontal wiring has to do with the choice and cost of equipment that can utilize fiber. Fiber-optic Network Interface Cards (NICs) and fiber media adapters for hubs and switches are at least twice the cost of copper twisted pair configurations. There are very few hubs or switches that support fiber to network end devices(e.g., 10Base-FL and 100Base-FX), and those few that are available are much more expensive.
  
  
21. Multi-mode fiber optic cabling will be used for vertical cabling (MDF-to-IDF and IDF-to-IDF) within a building or campus to support data communications.
    
    Position: Fiber supports the distances and high bandwidths required for backbone communications both within a building and between buildings on a campus. In addition, fiber is immune to EMI/RFI and power surges (e.g., caused by lightning strikes) since it does not carry electrical current. Fiber-configured backbone ports on intelligent wiring hubs and LAN switches are widely available options. In addition, higher bandwidth links for backbone LAN technologies such as Gigabit Ethernet today require fiber optic cabling.
    
    Fiber is relatively expensive, given the high cost of the labor involved for installation. The bulk of the cost, however, is in the switching equipment, where density is typically half that of CAT5 systems, and the per-port cost is usually twice that of comparable copper. The expense, though, is typically offset by the theory that - like CAT5 UTP to the desktop - it provides an "insurance policy" for future applications and bandwidth demands.
    There is an exception to using fiber as a best practice in vertical runs. When vertical cable plant is used to support voice communications, unshielded twisted pair (UTP is typically installed the whole way from the wall outlet to the MDF via intermediate punch down blocks. For this application, CAT5 UTP is recommended as the cabling standard. However, as is the case with many technologies, this depends on the voice communications equipment and product architecture of the chosen vendor.
    
    
22. Dark fiber will be used to link campus buildings.
    
    Position: Where it is available and affordable, dark fiber is an excellent method for connecting a relatively small number of sites at very high speeds within a metropolitan area.

    A dark fiber network is very similar to running fiber within a building -- it has no framing, timing or bandwidth restrictions. This provides a great deal of flexibility in the types of protocols and standards run on the network and provides an easy upgrade path when greater speed is required. Sites linked with dark fiber are essentially establishing private LAN connections between these sites. With installation of multiplexers, dark fiber can easily support voice or video via separate channelized bandwidth. These fibers terminate on University-owned multiplexers, routers, or switches -- something with a fiber optic interface. Dark fiber is just an empty light pipe. All connections between pieces of fiber are passive connectors only. The link speed is determined by the CPE (customer premises equipment).

23. Remote access to the campus computing resources will utilize the nearest point-of-presence (POP) of an Internet Service Provider (ISP) to access both the University network and the secure Virtual Private Network (VPN).
    
    Position: Internet Service Providers (ISP) provide the most reliable and cost effective means for remote users to connect to the campus network. ISP connection will be the only means provided for the campus Faculty, Staff, and Students.
    
    In the past, concerns of cost, availability, security and software licensing justified the University maintaining a direct dial-in support infrastructure for Faculty, Staff, and Students. Current technology, however, has all but eliminated the following issues:
    
    

    Security: The implementation of the Campus VPN server has provided a means of offering highly secure transmissin of data across third party ISP networks. This method provides more security than a direct dial-in.

    Software Licensing The implementation of the Campus VPN has provided users with the ability to connect through third party ISPs while still appearing to be an on-campus connection from a licensing standpoint.

    
    
    
24. Turnkey Systems will be accessed only by authorized workstations using a packet filtering router or firewall.
    
    Position: Any limited-access host system housed in the Network Operations Center (NOC) main campus computing facility, which is not administered by University Computing and Communications Services staff, or for which access control capacity is limited, shall be considered a turnkey system. Access to these systems will be limited to authorized workstations only via use of a packet filtering router.
    
    Since University Computing and Communications Services personnel neither maintain, nor have access control support of the systems, we cannot rely on their access security. In order to minimize the exposure of other host systems on campus - and of these systems to unauthorized access -we need to protect these systems by limiting access to them to authorized workstations only.
    
    
25. Managed Access to and from all Edge Connected Networks will be conducted by the University.
    
    Position: In order to perform many of the functions required by the University, it is necessary to connect the campus network to other networks such as the Internet and Internet2. It is our position that while this is necessary, the University shall always maintain a control point to manage access to and from all edge connected networks.
    
    The control point will be a packet filtering router system placed between the campus network and all edge connected networks. This will give the University the ability to allow, or deny, particular types of data from these networks, and to shield the campus from unwanted or unintended traffic.
    
    
26. Multicast Support will be added to the network architecture.

    Position: IP multicast allows for the deployment of applications that require the simultaneous transmission of data from a server to a large number of receivers, which minimizes the impact on available bandwidth and server resources.
    
    Because the enterprise LAN architecture is well-suited to multicast (e.g., it is based on switching and routing instead of shared-media LANs), deployment of multicast capabilities in routers (and where available, LAN switches) is advisable. Multicast is a special case of a managed and tunneled broadcast data. In general, while minimizing broadcast types of data is desirable, there are some specific uses where multicast can provide optimal delivery of data with the lowest host and network impact. Unlike a standard broadcast, multicast data can be tunneled between endpoints and filtered through switches, so that it is only delivered to stations that are requesting the service. Presentations, training, and workstation management are all areas where multicast provides substantial benefit.

27. PIM will be used for maintaining forwarding tables to forward multicast packets.

    Position: PIM provides the benefit of being routing-protocol independent and the ability to scale to support large enterprise networks.
    
    Two versions of PIM provide support for networks in which hosts are grouped closely together, as well as networks in which hosts are spread across a wide area. PIM is currently the most widely deployed multicast routing protocol and is supported by router manufacturers such as Nortel Networks and Cisco.

28. SNMP agents will support MIB-II variables in all network devices.
    
    Position: MIB-II variables from embedded or proxy agents and packet-capture devices are used to located network faults for those devices on the locally accessible network.
    
    Enterprise-class network devices (hubs, routers, switches, wireless LAN access points, UPS systems, etc.) are nearly always equipped with SNMP agents that fully support MIB-II and vendor-specific MIB extensions.
    
    
29. Proxy Agents will be installed.
    
    Position: Installing a proxy agent solves the lack of an SNMP agent and permits such devices to participate in the overall management framework.
    
    Legacy network equipment (PBX, TDM systems, etc.) often relies on proprietary network management systems. Most of these are command line interfaces, which require significant training to operate. Additionally, the lack of an SNMP agent generally turns these devices into management "dead zones," because no information about their status is available to network management system.
    
    
30. RMON probes will be used at all user network ports, core backbone elements, server network ports, and remote offices.

    Position: Status information can be retrieved from the edge devices, using MIB-II. However, the statistics obtained are raw counts of all traffic on the network segment or port. A more accurate method is to employ a RMON agent or packet-capture device that feeds a data-collection server.

    RMON probes may either be embedded in network devices (routers, hubs, switches, etc.) or be external devices that connect to the network through a switch or hub. RMON probes are more effective in managing remote sites, since the probes can collect data and forward it either periodically, or when a network event occurs.

31. Embedded RMON probe will be used.

    Position: While continuous data capture is required for collecting usage statistics and SLA monitoring, not all network segments will require a high level of monitoring. In this case, the RMON probes embedded in most of the new LAN switches will be adequate for data collection.
    
    Embedded RMON probes also capture statistics for immediate analysis without disturbing the normal collection process. A good example is to monitor a non-critical LAN segment experiencing intermittent problems.

32. External RMON probe will be deployed.

    Position: Either an embedded RMON agent, or an external agent, may be used to collect statistics pertaining to the network segment. Some vendors supply a complete solution consisting of management software and hardware agents that can be connected to the network where needed. These often prove to be a better solution than using the internal agents for the following reasons:

    • Operating the internal agent imposes a load on the managed device that may prove to be unacceptable in terms of network performance.
    • The internal agent is limited by the memory capacity of the managed device, in terms of how much data it may collect.
      
    • The external devices are optimized and extended to work with the management software supplied.
      
      

    Depending on the monitoring strategy chosen, significant amounts of data may need to be collected to adequately determine the cause of a particular problem. Also, if support for SLA monitoring is necessary, nearly continuous data collection will be necessary. External devices offer increased storage capabilities and can be set to transfer their data to the collection station at off-peak hours.

    The major drawback to an external device is the need to enable "port mirroring" on the local switch. Port mirroring takes all the traffic on the switch backbone and makes it available on a single port. This often places a significant load on the switch, so much so, that most manufacturers recommend mirroring no more than a single port.
    

33. Software agents will be used for end-to-end performance monitoring.

    Position: Software agents allow performance management to be done from the client, through all network elements used by the client to the server. Agents may be used to generate synthetic transactions, as well as simply monitor actual traffic. Synthetic transactions test application response by exercising each component along the path to, and including, the server. Since this places a load on the server and the network, this technique must be used with caution to avoid creating unnecessary traffic loads.

    Active agents simulate a desktop and continuously issue "synthetic transactions," recording the elapsed time and success of these transactions. These are the most effective means of monitoring, since synthetic transactions will exercise all components of the network, the server, and the database engine.

    Agents may be either double-ended or single-ended. Double-ended systems rely on an agent at the server and on the client. The agent on the client sends a transaction to the agent on the server, which then responds. This tests the end-to-end response time of the client-server connection and gives an idea of server and workstation loading. It does not test the response time of the central database, since this is not interrogated.

    Single-ended agents are application-specific. That is to say, they are tailored to run against Oracle databases, SAP engines, etc. Transactions generated by these agents directly interrogate the application under examination, yielding a better overall picture of application response times.

34. AntiVirus Software will be installed on all user devices.
    
    Position: Anti-virus software will be installed and operational on all Windows and Apple operating system devices attached to the GSU network either directly or remotely. Anti-virus software is also required on all email servers.
    
    
35. Firewalls will be installed on user devices and critical server devices.
    
    Position: Software or hardware devices should be used to further protect user devices (desktops, laptops, PDA's) attached either directly or remotely to the Georgia State network.
    
    In addition, server devices should be evaluated to determine if the content should be considered critical and whether firewall devices should be placed in front of these devices as well.

    Hardware firewalls (both central and departmental) will be configured and managed by UCCS only.
    
    

36. All devices will be configured to accept "PING."
    
    Position: The proper use of ICMP PING is essential to the proper operation and management of the University Network. All devices attached to the campus network must be configured to allow PING from on campus devices. ICMP PING is currently rate limited at the campus edge and cannot be used as an effective denial of service attack vector.

     

37. All new systems and servers will be subjected to a security audit prior to network connection.

    Position: The prevalence of and speed of propagation of information security threats demands that initial reviews be done to determine existing problems or potential vulnerabilities that may impact the entire network.

Help:

If you have questions please contact the Help Center for assistance help@gsu.edu or (404) 413-HELP (4357).