This document presents networking standards for the OUHSC campus. These standards have been developed by Information Technology – Infrastructure Services in cooperation with many colleges and departments at the Health Sciences Center.
Campus-wide standards can assure the best and most effective use of existing technology while developing strategies for long-term growth and continually phasing in newer technology as it becomes most cost effective.
Information Technology is responsible for the procurement, support, and maintenance for all networking equipment on campus unless specifically exempted by Information Technology leadership.
Any cable installed on the campus must be installed by Information Technology unless specifically exempted. In the event of new construction where cabling is included as part of the construction process Information Technology should be included in the discussion as soon as possible to ensure that the standards are being adhered to by the general contractor.
Any network equipment used for campus business must go through the campus product review process. This applies to all networking equipment even if it is not specifically mentioned in this standard.
1.1 Standard Goals
This standard has been developed to achieve the following goals:
- Provide a common foundation for meeting business and technology needs.
- Ensure technical system interoperability throughout the campus.
- Define requirements and technical specifications.
- Provide a technical resource to support the campus networking infrastructure.
- Simplify the technical decisions required to implement networking technology.
- Allow for standardized technology implementations though out the campus.
- Provide a financial model that supports growth and lifecycle management.
This document specifies standards and design criteria for network devices and LAN protocols that connect to the OUHSC campus network.
Other documents should be referred to for desktop hardware and software standards.
Basic definitions of network types, hardware, protocols, and other items used in networking terminology are listed below. The definitions given are how the OUHSC campus defines each item.
2.1 Network Definitions
OUHSC provides an isolated section of the network that is utilized for approved affiliated entities to connect directly to the campus bypassing the border network. This network has several safeguards in place but entities connecting to this network are treated differently than entities connecting to the border network.
The campus backbone network consists of fiber-optic cable, routers, and switches that interconnect building LANs to the campus core and to the Internet.
The campus border is comprised of cable, routers, switches, firewalls, and intrusion prevention devices. The campus border is designed to connect the OUHSC campus to other networks and the internet while providing safeguards to keep the campus safe from unwanted traffic into our network or allowing data to leave the campus that shouldn’t.
Internet Service Provider (ISP)
OUHSC leverages multiple providers for internet access. These providers supply the only approved internet access for the campus.
Local Area Network (LAN)
The campus LAN consist of cabling, switches, and sometimes routers that are used to pass digital information and to connect endpoint devices. A typical LAN is usually contained within a physical building.
Transparent LAN (TLAN)
A transparent LAN achieves the same goals as a standard LAN but actual access is provided by a third party. Leveraging this technology allows remote locations to appear as if they were directly connected to the campus backbone.
Virtual Local Area Network (VLAN)
A virtual local area network is a single layer-2 network that is partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers.
Virtual Private Network (VPN)
Virtual private Network connections are used to provide a permanent or temporary connection to a remote location. Temporary VPN connections can be utilized by OUHSC faculty, staff, and students to connect end user devices to the campus network to have the same experience as if they were on campus. Permanente VPN connections can be used by affiliates or outside agencies that require a connection to always be available to the campus.
Wide Area Network (WAN)
Wide Area Networks connect geographically distant networks together.
Wireless Local Area Networks (WLAN)
Wireless local area networks are similar in practice to LAN’s but utilize wireless access points instead of switches.
2.2 Hardware Definitions
A firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted.
Intrusion Prevention System (IPS)
Intrusion prevention systems are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.
The core of the network is comprised of very high end and redundant switched and routers. The hardware in the core is treated differently than hardware located within a building on campus. The core is where each building connects to the rest of the network. All other networks also connect to the core in order to pass traffic (border, affiliate, wireless, etc.).
A network switch is a telecommunication device that receives a message from any device connected to it and then transmits the message only to the device for which the message was meant. Endpoints, additional switches, and wireless access points are a few examples of things that may be connected to a network switch.
Optical fiber taps use a network tap method that extracts signal from an optical fiber without breaking the connection. Tapping of optical fiber allows diverting some of the signal being transmitted in the core of the fiber into another fiber or a detector. These taps are used by the university to send data to logging devices so that the traffic is not slowed in transmission as it is inspected.
Point of Presence (PoP)
Each building on campus typically has a demarcation point where it connects to the campus core. This point is referred to as a “PoP” within each building.
A router is a device that forwards data packets between computer networks, creating an overlay internetwork. A router is connected to two or more data lines from different networks. When a data packet comes in one of the lines, the router reads the address information in the packet to determine its ultimate destination. Then, using information in its routing table or routing policy, it directs the packet to the next network on its journey.
Wireless Access Point (WAP)
A wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi based on the Institute of Electrical and Electronics Engineers' (IEEE) 802.11 standards.
2.3 Protocol Definitions
Ethernet is a physical and a data link layer technology for connecting a number of devices to form a local area network, with protocols to control the passing of information and to avoid simultaneous transmission by two or more systems.
IEEE 802.11 Standard
IEEE 802.11 is a set of media access control (MAC) and physical layer (PHY) specifications for implementing wireless local area network (WLAN) computer communication in the 2.4, 3.6, 5 and 60 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee (IEEE 802). The base version of the standard was released in 1997 and has had subsequent amendments.
a unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.
Open Systems Interconnection (OSI) model
The Open Systems Interconnection (OSI) model (ISO/IEC 7498-1) is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into abstraction layers. The model is a product of the Open Systems Interconnection project at the International Organization for Standardization (ISO). The model groups similar communication functions into one of seven logical layers. A layer serves the layer above it and is served by the layer below it.
Quality of Service
Quality of Service (QoS) is the ability of a network to provide better service to selected network traffic. The goal of QoS is to provide better and more predictable network service. QoS prioritizes traffic to ensure that mission-critical applications get the service they require, while simultaneously servicing other applications.
Service Set Identification (SSID)
An SSID is the name of a wireless local area network (WLAN). All wireless devices on a WLAN must employ the same SSID in order to communicate with each other. The university has multiple SSID’s established for very specific purposes. In order to configure your endpoint device to connect to the campus wireless network please contact the IT Service Desk.
Transmission Control Protocol/Internet Protocol (TCP/IP)
TCP/IP is the basic communication language or protocol for the exchange of information between devices that connect to the campus network.
Voice over Internet Protocol (VoIP)
VoIP is a technology that allows telephone calls to be made over computer networks. VoIP converts analog voice signals into digital data packets and supports real-time, two-way transmission of conversations using Internet Protocol (IP).
3.1 Hardware standards
As stated in the standard goals, all network equipment is procured, supported, and maintained by the campus Information Technology department. Information Technology is also responsible for the lifecycle management of all network equipment. The technology refresh project is funded through the monthly employee connectivity charge that is billed to each department.
Access Layer Switches
These are the switches that are typically located in the buildings on campus that computers, printers, and other devices use to connect to the network. These switches typically provide Ethernet based connectivity up to 1Gbps to endpoints. Access layer switches are usually connected to the initial point of presence in each building via a 10Gbps fiber connection.
The network core switches are chassis based high performance switches configured in a redundant fashion. The switches will have multiple 10Gbps connections (when available) to each building on campus. These switches will have routing engines enabled making them the central point of routing for the campus. These switches will have multiple redundant 10Gbps connections to the border network.
Firewalls are to be installed at the campus border and data center edge with a “default deny” rule in place. If firewall ports need to be opened to permit specific traffic a request must be opened with the service desk. The firewalls are installed in a redundant fashion with multiple 10Gbps connections to the campus core. Physical firewalls installed anywhere on campus are prohibited unless exempted by the information security department. Host based firewalls are allowed by departmental IT staff as long as the systems supported by campus IT that certify our compliance are permitted access.
Intrusion Prevention Devices
IPS appliances are installed at the campus border and will be inspecting all traffic in and out of campus unless specifically exempted by Information Security. These appliances are configured with a basic rule set approved by information security and are configured to immediately drop traffic that is detected as malicious.
Point of Presence Switches
The building PoP switches are generally more robust and redundant than the access layer switches. These switches are responsible for connecting and delivering network service to an entire building. Ideally each building PoP will have dual 10Gbps connections to the campus core. When available the redundant connections will have different paths into the building. These switches will be connected to the core using a “Layer 3” (routed) connection. The various VLAN’s for the building will also be provisioned from these switches.
The campus border routers are configured with multiple redundant 10Gbps connections to the campus core and to the campus ISP. External affiliate connections may also be connected to the campus border routers if approved by Information Security. Routers installed anywhere on campus are prohibited unless exempted by the information security department.
Wireless Access Points
Departments requesting wireless connectivity can order this service through the IT Service Desk. If this is an initial purchase then there will be a onetime charge for the purchase of the access point and associated cabling. These access points will be owned by Information Technology but purchased by the department requesting access. If the access point needs to be replaced due to failure or as part of a lifecycle refresh the department is responsible for purchasing an additional access point specified by Information Technology.
3.2 Cabling Standards
As stated in the standard goals, any structured cable installed for the purpose of data transmission should be ordered and installed through Information Technology.
Any new Ethernet cable installed on campus will be category six rated at a minimum. Existing category five cables can still be utilized in non-refreshed locations but can only support speeds up to 100Mbps.
Fiber installed on campus will be either single-mode or multi-mode depending on the purpose of the installation.
Information Technology reserves the right to remove any equipment attached to the campus network that may be causing problems or present a potential threat to the confidentiality, integrity, or availability of campus resources.
The overall reliability of the HSC Network is the responsibility of IT Infrastructure Services. Every college, department, and customer is responsible for meeting standards that will help ensure this reliability.
Date last revised: 1/10/2015