UGA Network Equipment Standards
(Revised
IMPORTANT PREFACE: After performing an extensive due diligence assessment involving a number of networking vendors, EITS has chosen Foundry Networks as its network equipment standard for UGA's next-generation network and strongly encourages departments to purchase equipment from Foundry. It was chosen not only for price but also for the network and security features it offers. EITS has negotiated a 40% discount on all equipment purchases and a 37% discount on maintenance which should be valid for the next three years.
This document describes the
required features of Ethernet network equipment, specifically
layer-2 switches and layer-3 switches (high-speed routers) that are located
either in the core layer of the network, in the main wiring closet (technically called the main distribution
frame or MDF [also referred to as the distribution layer of the network]) in a UGA building or in internal wiring closets (called
intermediate distribution frames or IDFs [also referred to as the access layer of the network]). Whenever possible, these
switches should be located in an MDF or IDF rather than in multi-user office or
lab environments. These standards
do not apply to hubs in an individual's office which connect multiple devices
in that location to a port on network equipment in the IDF. The UGA Network Equipment Standards will be
reviewed and updated annually (or sooner as warranted).
Modular chassis switches with
redundant power supplies and hot-swappable modules are superior to stackable
switches because they are more reliable and more easily expanded in terms of
port capacity. Modular chassis switches
have backplanes that interconnect all of the modules (or blades). These backplanes must have enough bandwidth
capacity to allow all of the switch ports to operate at “line speed”. If there is insufficient backplane capacity,
some reduction in the ports' maximum speeds will occur. The rule of thumb for backplane capacity is
to sum up the bandwidth capacity of each port on the switch and divide that
result by two. If stackable switches are
used in an IDF, it is best to use ones with the highest capacity to meet the
port requirements rather than cascading switches with smaller port capacities
(assuming that the higher density switches have the backplane capacity to
support the aggregate port capacity).
All networking equipment
purchased for wiring closets should
adhere to the features listed in this document. Existing
network equipment that does not adhere to these standards should be
replaced as quickly as possible (and no later than the
fiscal year after these standards have been institutionally blessed). EITS Network Operations and Infrastructure (NOI) will
schedule a consultation within two business days to review and certify all
network equipment prior to purchase for use in wiring closets to ensure that
they meet the required specifications.
To schedule a consultation with EITS NOI staff, please fill out an EITS Web Request Form.
Functional Network Requirements
The following table constitutes a list of functional network requirements for each of the layers (C=core, D=distribution, A=access) and where noted, whether a layer-three (L3) switch is indicated:
Functional Requirement Description |
Layers Required |
IPv4 (RFC 1812 & RFC 2644) |
C, D(L3) |
IPv6 |
C, D(L3) |
OSPFv2 (RFC 2328) |
C, D(L3) |
OSPF NSSA (RFC 1587) |
C, D(L3) |
IPX |
C, D(L3) |
IPX RIP |
C, D(L3) |
AppleTalk |
C, D(L3) |
RTMP |
C, D(L3) |
Differentiated Services (RFC 2475) |
C, D(L3) |
Classification and marking of layer 4 traffic for timing-sensitive applications |
C, D, A |
VRRP per redundant, L2-connected building (RFC 3768) |
C |
Fully-redundant and fault-tolerant switch components |
C |
Sufficient backplane capacity for non-blocking frame forwarding |
C, D, A |
Wire-speed frame forwarding on all ports |
C, D, A |
MAC Bridging (IEEE 802.1D) |
C, D, A |
VLAN Tagging/Prioritization (IEEE 802.1p) |
C, D, A |
Virtual LANs (IEEE 802.1Q) |
C, D, A |
Multi-Link Trunking (IEEE 802.3ad) |
C, D, A |
100BaseTX/FX Ethernet (IEEE 802.3u) |
C, D, A |
Flow Control (IEEE 802.3x) |
C, D, A |
1000BaseSX/LX/ZX Ethernet (IEEE 802.3z) |
C, D, A |
Gigabit over Category 5 Wiring (IEEE 802.ab) |
D, A |
AAA (RFC 2989) |
C, D, A |
BGP4 (RFC 1771, RFC 1745, RFC 1965, RFC 1997, RFC 2385, RFC 2439, RFC 2798, RFC 2842) |
C |
BOOTP (RFC 951, RFC 1542) |
C, D, A |
BOOTP/DHCP Relay (RFC 2131) |
C, D(L3) |
DVMRP V3 (RFC 1075) |
C, D(L3) |
IEEE 802.1x Authentication |
D, A |
IGMP (RFC 1812) |
C, D, A |
IGMP V2 (RFC 2236) |
C, D, A |
IP Forward Table MIB (RFC 1354) |
C, D(L3) |
NTP (RFC 1305) |
C, D(L3) |
PIM-Dense Mode (RFC 2362) |
C, D(L3) |
PIM-Sparse Mode (RFC 2117) |
C, D(L3) |
Radius (RFC 2865) |
C, D(L3) |
RIP V1 (RFC 1058) |
C, D(L3) |
RIP V2 (RFC 2453) |
C, D(L3) |
RSVP (RFC 2205, RFC 2206, RFC 2207, RFC 2208, RFC 2209, RFC 2210) |
C, D(L3) |
RMONv1 (RFC 1757 - Groups 1,2,3,9) |
C, D, A |
SNMPv3 (RFC ) |
C, D, A |
SNMP MIB II (RFC 1907) |
C, D, A |
SSH Version 2 |
C, D, A |
Syslog Support |
C, D, A |
TFTP (RFC 783) |
C, D, A |
Gigabit port mirroring |
C, D, A |
Secondary IP addressing on routed interfaces |
C |
VLANs based on non-standard subnet masks |
C, D, A |
Functional Security Requirements
The following table constitutes a list of functional security requirements for each of the layers (C=core, D=distribution, A=access) and where noted, whether a layer-three (L3) switch is indicated:
Functional Requirement Description |
Layers Required |
Support central security policy enforcement capability, e.g., check security baseline:
of any device connecting to the network and allow access only after baseline has been verified (or place the device in a quarantine zone, as needed, containing remediation software that can be installed on it) |
C, D, A |
Work with UGA's AV provider to verify AV policy compliance |
D, A |
Provide a solution to allow for planned firmware update management in communications devices |
C, D, A |
Support anomaly-based network intrusion protection system (IPS) sensors by simultaneously mirroring all ports on switch to IPS sensor port |
C |
Trigger security ACL changes based on IPS detection |
C, D, A |
Identify network attacks:
and stop unknown/unauthorized traffic |
C, D, A |
Event and audit logging to Security Information Management System (SIMS):
|
C, D, A |
Security Assertion Markup Language (SAML) information exchange between communications devices and SIMS:
|
C, D, A |
Per port flow data |
C, D, A |