Develop Product Network Infrastructure for Warren Center for General MotorsWord文档格式.docx
《Develop Product Network Infrastructure for Warren Center for General MotorsWord文档格式.docx》由会员分享,可在线阅读,更多相关《Develop Product Network Infrastructure for Warren Center for General MotorsWord文档格式.docx(9页珍藏版)》请在冰豆网上搜索。
LyleBrown.CCIE#3794
KPMGConsulting,LLC
UnderthedirectionofCiscoSystems
TableofContents
ProjectInitiation1
Goalsstatement1
Objectives1
ExecutiveOverview1
Concept1
Architecture3
Design4
GapAnalysis5
Security6
NetworkManagement6
Templates7
AppendixA
StatementofWork
AppendixB
ConceptforDevelopProduct
AppendixC
NetworkArchitectureforDevelopProduct
AppendixD
NetworkDesignSamplesforDevelopProduct
AppendixE
GapAnalysis
AppendixF
SecurityArchitectureforDevelopProduct
AppendixG
NetworkManagementArchitectureforDevelopProduct
AppendixH
RevisedArchitectureTemplateTT-?
?
ProjectInitiation
Goalsstatement
Thegoalofthiseffortistodefinealocal,managedandsecureNetworkInfrastructureforDevelopProductontheWarrencampusthatsupportsGM’sstatedbusinessobjectivesandrequirements.
Objectives
Specificobjectivestobemetinachievingthestatedgoalareto:
-DevelopaconceptualframeworkforDevelopProductontheWarrencampustobeusedasanetworkblueprintdocumentthatlinksstatedrequirements,withthearchitectureforthenetworkinitiative.Theinitialconceptistobepresentedwithintwoweeksofprojectinitiation.
-Conductanddocumenta“gapanalysis”todescribedifferencesbetweenthecurrent(planned)statenetworkandtheconceptualnetwork.
-DevelopaNetworkTopology(Architecture)andcorrespondingDesignTemplates.Thiseffort,whilefocusedonthelocalenvironment,willincludetreatmentsfor
-connectivitytoGM’sotherdesigncenters
-connectivitytosuppliers
-connectivitytoGM’scorporatenetwork,and
-dialincapability.
-DetaildiscussionsregardingNetworkManagementandSecurityimplicationsoftheDesign.
TheoriginalStatementofWorkandamendmentsareincludedinAppendixA.
ExecutiveOverview
Concept
GMhasimplementedacoherentplantointegratetheWarrenTechnicalCentercampusenvironment.Thephysicalsiteconsistsofseverallargebuildingsonasquaremilecampus.TheexistingplanistoconsolidateservicesinasingleDataCenter.Thisiseffectivelya24x7computerroomwhereserversarelocated.ThiscenterwillservicethelocalenvironmentaswellasregionalGMMegaCentersites.ThecurrentconceptistoGeographicallydistributeendusersites.EachbuildingorremotesiteistreatedasadistinctLANenvironmentoperatingatLayer2(switching).TheseGeographicallydistributedsiteswillbeinterconnectedviaLayer3(routing).Connectivitytoexternalentities–Internet,partners,etc.–areallowedthroughtheGMWANenvironment.
Thisenvironmenttreatsallusersatagivenlocationthesame.Thereisnomechanisminplacetofavoroneuseroveranother.Alltrafficismixedandaccessisshared.DevelopProductshasasetofrequirementsthataredifferentfromthegeneralpopulationthusrequiringspecializedtreatment.
WhileDevelopProductsisaglobalenterpriseandconnectivitymustbeestablishedwiththatinmind,therearearelativelyfewsitesontheWarrencampuswithveryhighconcentrationsofDevelopProductusers.ThiswillbecomeevenmoresoasrenovationandconstructionoftheVECbuildingiscompleted.Itisanticipatedthatupto12,000engineerswilloccupythatbuilding.Theengineeringaspectoftheenvironmentcausesdatavolumestobeverylarge.TransferofdatabecomestheprimarydriverforDevelopProduct.Concurrentwithdatamovement,simplicityandreliabilitybecomeveryimportantaswell.
TheDevelopProductNetworkConceptwascreatedfromaverygeneralsetofrequirementsfromDevelopProduct.Essentiallytheinitialsetofrequirementsincluded
-reducethenumberofdevicesbetweenaDevelopProductclientandhisprimaryserver
-reducethenumberofroutinghopsbetweenanyDevelopProductclient,includingglobalclients,andaDevelopProductserver
-minimizetheeffectsofroutingbyminimizingthenumberofLayer3devicestraversedinaconversation
-provideatopologythatwilldeliver50IOPS(1.6Mbps)toeachDevelopProductuser
-allowinterconnectivityforDevelopProductusersandtherestoftheworld
-describeaHighlySecuredenvironmentforthe“crownjewels”(Portfolio)
-describeatopologyinsuchafashionthatcomponentfailurewilldisplacenomorethan500users.
ThreeFunctionalenvironmentswillbeconstructedtosupportdistinctsetsofusers.Thisdoesnotprecludeaccessamongthem.Serverswillbedistributedamongtheseenvironmentsbasedupondataresidentonthem.ThecurrentLANdistributionisGeographical.ACampusAreaNetwork(CAN)interlinksthevariousbuildingsusingrouting,Layer3.EachbuildinghousesasingleLANenvironmentthatcommunicateswithothersviatheCAN.
AllserversfortheregionalMegaCenterarehousedinasingleDataCenterontheWarrencampus.ThisparticularbuildingalsohousesthemajorityoftheDevelopProductusers.
TheconceptistotreatDevelopProductasalogicalbuilding.BecausethemajorityoftheuserswillbehousedinthesamebuildingasDataCenter,itispossibletomoveserversfromtheGeneralPurposeenvironmentdirectlyintotheDevelopProductenvironment.Thisisdonetohelpabbreviatethedistancebetweenclientandserver.Layer3servicesarecollapsedintoasinglelayertominimizeroutingimplications.
DistinctenvironmentsaretobedevelopedforthetwosetsofDevelopProductusers.OneenvironmentisHighlySecuredandwillbeplacedbehindfirewallfunctions.Itwillbeadistincttopologythatislinkedto,butseparatefrom,theGeneralPurposeenvironment.ThesecondsetofuserswillutilizeatopologythatisintegratedwiththeGeneralPurposeenvironment.Whileitisintegratedwiththeexistingenvironment,theselectionofthepathbetweenclientandserverwillcausesegregationoftraffic.Itiscalledlooselycoupled.
TheconceptfortheHighlySecurednetworkisthesameasthatfortheremainderofDevelopProductexceptthatitisphysicallyseparatedfromtheothertwoenvironments.However,initiallyserverswillbeplacedinthesameLayer2environmentasclientsfortheHighlySecuredenvironment.TheonlytopologicaldifferencebetweenthetwoistheconnectionintotheoverallGMenvironment.ThisconnectionwillbethroughasinglefirewalledandcloselymonitoredconnectionfortheHighlySecuredusers.
TheconceptallowsthetopologytospanmultiplebuildingsontheWarrencampus.ConnectivitycanbethroughtheuseofdedicatedfiberorutilizetheexistingCAN.SmallclustersofeitherHighlySecuredorlooselycoupledDevelopProductuserscanresideontheexistingnetworkandretainconnectivitytothedesiredenvironment.Inthecaseoflooselycoupledtherearenospecialconsiderationsthatmustbemade.Accessisallowedthroughnormalrouting.TheremustbespecialconsiderationsintheHighlySecuredenvironmentthough.Someformofauthenticationandauthorizationmustbeimplemented.ThiscanbeaccomplishedthroughtheuseofVPNtechnologyorsomeimplementationofusername/passwordtechnology.
WANconnectivityisnotspecificallyrequiredforeitherthelooselycoupledortheHighlySecuredenvironmentsatthistime.Theconceptdoesnotprecludethistypeofaccess.Remote,evenglobal,usersretainthecapabilitytoaccessbothenvironmentsthroughexistingtopology.
TheConceptdocumentdevelopedisincludedinAppendixB.
Architecture
TheArchitectureconstructedfortheDevelopProductenvironmentreliesontraditionaldefinitionsofLANs.BoththelooselycoupledandtheHighlySecuredenvironmentsaredefinedtobehierarchicalinnature.Eachwillpotentiallyconsistofthreelayers–Access,DistributionandCore.
TheAccesslayerwillconnectclientdevicestothenetwork.ItwillbeLayer2Ethernetswitch.Ontheclientsideitwillsupport10/100Mbpsconnectionsand1000Mbpsconnectionsonthenetworkside.ItwillsupportmultipleLayer2environments–VLANs–foruserattachment.Thisdevicewillsupportboththeaggregationoftrafficonaport,Trunking,andtheaggregationofports,Channeling.TrunkingandChannelingwillbeimplementedonthenetworkside.
TheCorelayerwillbeusedtoconnectclientswithservers.Thiswillbearouted,Layer3,connection.Thisdevicewillbeaswitchwithroutingcapabilities.Itmustbecapableofsupportingalargenumberof1000Mbpsconnections,TrunkingandChanneling.TheintentoftheConceptistoconnecteveryAccesslayerswitchtoeveryserverataCoredevice.ThepurposeofthisistoreducetherequiredroutingcomponenttoasingledeviceconnectingthetwoLayer2environments.
DistributionlayersareallowedintheArchitecturetosupportscalingissues.BecauseofportdensityconsiderationsonCoredevices,itmaynotbepossibletoconnectclientsand/orserversthroughdedicatedports.InthesecasesaDistributionlayercanbeinsertedoneithersideoftheCoretoaggregatetrafficandprovidealogicalconnectiontotheCore.ThesedevicesareLayer2andmustsupportalargenumberof1000Mbpsconnections,TrunkingandChanneling.
Therequirementsforredundancyandthroughputdictatetheuseofmultiplepathsfromclienttoserver.WithinthenetworkthisisresolvedbytheimplementationofCiscoISLTrunkingandChanneling.Throughtheimplementationofstringentplanning,everyAccessswitchcanbedesignedtohavemultiple,loadbalancedLayer2pathstotheCore.Likewise,throughstringentplanning,serverscanhaveLayer2terminationsattheCore.Thiswi
升级会员 