«Airport Uses Network Virtualization to Consolidate and Scale Operations Flexible connectivity options and the ability to keep closed user groups ...»
Customer Case Study
Airport Uses Network Virtualization to Consolidate
and Scale Operations
Flexible connectivity options and the ability to keep closed user groups isolated
EXECUTIVE SUMMARY led Unique to design MPLS VPNs for Zurich Airport with Cisco Catalyst 6500
Unique, operator of Zurich Airport
INDUSTRY BUSINESS CHALLENGETransportation Zurich Airport is located in the center of Switzerland and plays a distinct role in the European BUSINESS CHALLENGE airport space. Unique is the operator of Zurich Airport and offers a broad service portfolio to
• Offer reliable network service to all about 180 other companies, which also reside on the airport. Zurich Airport offers work for tenants on airport ground about 20,000 individuals and transports around 18 million passengers per year.
• Meet increasing demand for client connectivity be it wired or wireless Like many other enterprises, Unique faces the diverging business needs of providing the highest
• Support airport operation applications availability of operations while offering maximum flexibility to accommodate the ever changing with a highly reliable network needs of their business environment.
• Provide video transmission over a converged network Airport applications like air-control and tower communication demand highest uptime and need
• Keep pace with data center growth to be separated from operations like baggage distribution, business administration, video and demanding cluster applications surveillance, and public WLAN traffic. Besides airlines and other third parties, the airport also
NETWORK SOLUTIONhosts conferences, exhibitions, and other events that require a very flexible architecture where
• MPLS VPN to replace network wide network connection can easily be established and removed without affecting other groups.
layer 2 VLANs
• Multicast VPN (mVPN) for efficient multicast traffic distribution NETWORK SOLUTION
• Catalyst 6500 Switches with The need for network virtualization—having multiple groups on the same physical network Supervisor Engine 720-3BXL infrastructure, while keeping them logically separate to a degree that they have no “knowledge”
• WLAN integration
With the increasing number of clients in a VLAN, the level of broadcasts also increased. The impact of this could be seen in the higher CPU load of client and network devices as well as slower application performance. The purpose of Spanning Tree to provide a loop-free topology inherently prevented multiple active paths between any two destinations in the network and therefore limited the available network bandwidth. Although this did not represent a limiting factor at the network edge, for the core of the network this could become a problem.
Troubleshooting of large Layer 2 topologies required a significant amount of troubleshooting experience and often turned out to be time consuming.
In the event of a Layer 2 loop, loss of client connectivity occurred, and remote network administration could be affected.
In addition, an STP-related issue was likely to affect all closed user groups (if not the entire network) and therefore represented a significant risk for all businesses making use of the network.
Unique’s network was based on Alcatel Packet Engine switches and, where the majority of it operated, in Layer 2 mode. Figure 1 shows the network layout. Customer networks were implemented using campuswide VLANs. Unique’s office network was Layer 2 in the access and Layer 3 switching on the core/distribution layer.
Figure 1. Old Layer 2-based Network
However, the implicit “desire” of a Layer 3 switch to switch between all networks in the routing table, represented a challenge for the requirements for segmentation and closed user groups. Although access control lists (ACLs), policy-based routing (PBR), or overlay generic routing encapsulation (GRE) tunnels are possible approaches to segment traffic, the number of expected closed user groups and distribution zones are important factors to keep in mind. With an increasing number of closed user groups, the administrative/operational work would increase. A mistake of an ACL configuration in a single location could result in a “leak.” The consequence would be that one group could access data from others. In case of a worm or virus, propagation across multiple groups could happen.
The network-addressing structure should be carefully considered when using ACLs or PBR. Although a smart choice of address ranges used per group can simplify the configuration significantly, it presents a drawback because the addressing of the end system often needs to be changed.
Making this change not only involves the network group within an organization but also the client/server administrators of individual closed user groups.
Layer 3 VPNs There are basically two type of VPNs related to Layer 3: IP Security (IPSec) VPNs and Multiprotocol Label Switching (MPLS) VPNs. While IPSec VPNs are mainly focused on encryption of point-to-point connections (or point-to-multipoint in the case of Dynamic Multipoint VPN), MPLS VPNs serve the need to form logically separated networks on a common physical infrastructure. This document exclusively relates to MPLS VPNs unless mentioned otherwise.
Service providers have made use of MPLS technology for several years. Most enterprises were not embracing it, mainly due to the lack of availability on LAN switches. Only carrier-class systems such as the Cisco 12000 series routers would satisfy the performance requirements in ® the enterprise space. With the introduction of MPLS VPN support on the Cisco Catalyst 6500 Series Switches in late 2003, MPLS technology became affordable for enterprises at up to multi 10 Gb Ethernet speeds.
MPLS VPNs basically offer all benefits of the previously mentioned Layer 3 campus solution, with the additional benefit of segmentation as an implicit part of the technology. Therefore closed user groups are defined using different VPNs. These VPNs are transported independently over the core of the network using labels. The networkwide benefit is that any VPN can be configured to be present at any location in the network without any compromises in performance or network design.
Flexibility of network addressing is also addressed due to the fact that the user groups are completely autonomous. Each VPN makes use of its own virtual routing and forwarding (VRF) table. This can be viewed as a separate routing table for each VPN. Therefore addressing across VPNs is completely independent and can even be overlapping. If shared or common services (for example, Domain Name System, e-mail, and Internet access) are used, Network Address Translation (NAT) would need to be used on a per VRF basis.
Table 1 outlines the benefits and limitations of each solution.
Table 1. Comparison Chart of Design and Virtualization Solutions
TECHNOLOGY AND PRODUCT BENEFITSWhile being separated from other parties, customers of Unique would span all over the airport grounds, requiring any-to-any connectivity. Although Layer 2 VLANs would suffer from scalability and a pure Layer 3 network could not offer scalable and secure separation, MPLS VPN as a technology turned out to be a well-suited solution. Performance, network robustness, and scalability needs could be addressed using this technology that had proven to be working in demanding service provider networks. Consolidating multiple networks represented additional operational und business benefits.
Each Unique customer would be put in a separate VPN. The customer, however, would not (need to) know about the underlying architecture. Anyto-any connectivity would be achieved using VRFs. Speed requirements would range from a few Mbps up to connections using multiple GE ports.
The Cisco Catalyst 6500 Series Switch with Supervisor Engine 720 could easily accommodate connectivity requirements like the following:
• Network access across multiple distribution zones (such as operations of Unique itself, customs, baggage claim, travel agencies, etc.)
• Internet access for Internet kiosks that are scattered throughout airport terminals
• Building automation such as badge readers, parking meters, air conditioning, etc. spread all over the airport and connected to a central operations center
• Airline networks to gates, lounges, and check-in infrastructure
• Integration of SITA airport infrastructure and connectivity to the global SITA network
• Video surveillance and x-ray scanners with multicast requirements
• Public WLAN (PWLAN) infrastructure covering all of the passenger area Some of the customer networks would be local to the airport and have no need for external connectivity. Others, however, might need access from inside the network to the Internet (PWLAN, Internet kiosks, lounges). A third scenario would be represented by tenants that need to grant IPSec VPN access from the Internet to their network (for remote support of third-party applications such as SAP, etc.). Finally the Unique network would also serve as a “transit” network for larger networks, where PE nodes not only offer connectivity to access switches but rather learn routes from adjacent Layer 3 switches or routers with large customer networks behind them. An example for that is the use of inter-AS routing on redundant Gigabit Ethernet trunks that face the SITA airport hub. Over these links, individual VPNs from the SITA network could be connected to the MPLS VPNs on Unique’s side.
Although the Cisco Catalyst 6500 Series Switch with Supervisor Engine 2 could offer MPLS VPN support with the additional use of Optical Services Modules (OSMs), the Supervisor Engine 720 with integrated PFC3 introduced MPLS VPN support on LAN interfaces. All LAN ports in the system can make use of the hardware-based MPLS forwarding (PE or P router). Fabric enabled line cards can make use of optional DFC3s, which increases the performance to support switching local to the line card, satisfying the highest levels of performance in the enterprise space.
The rich options of interface types, as well as the density of GE interfaces, presented a nice fit for the core, distribution, and data center access layer.
Since servers of customers as well as Unique would be hosted in two physically separated data centers, high port density was a prerequisite. Also optional service modules like the Wireless LAN Service Module (WLSM) and Firewall Service Module (FWSM), or service carrier cards such as the SSC-400 and the IPSec SPA, positioned the Cisco Catalyst 6500 Series Switch to accommodate future security and client roaming needs in the network edge, data center, and (P)WLAN space.
PFC3B/3BXL and later support MPLS VPNs
PROPOSED DESIGNThe proposed design was to build a small MPLS core consisting of two Cisco Catalyst 6500 Series Switches equipped with Supervisor Engine 720BXLs acting as P routers. For each distribution layer zone, either a single or redundant Cisco Catalyst 6500 Series Switch (also Sup720-3BXL) would be placed acting as PE routers. The PE routers would also act as distribution-layer switches, terminating all user/customer VLANs and mapping these into the respective VPNs. In the data center, the Cisco Catalyst 6500 Series Switches would also be used as access-layer switches for servers to accommodate the increasing demand of 10/100/1000 Ethernet interfaces.
Figure 2. Proposed Design with Two MPLS P Routers and Adjacent PE Routers
“Unique operations” was then migrated to the new network as a first customer still residing in the global routing table. For this migration the Unique VLAN in the old layer 2 network was connected to a Cisco Catalyst 6500 Series Switch, which acted as a (default) gateway to the new subnets created for each distribution zone. This part of the migration was done in multiple steps, since the whole access layer infrastructure also had to be replaced. Although this process took some time (Unique itself employs close to 1500 network users), this change offloaded the old Alcatel network significantly.
The next step was to add the MPLS configuration to the core and distribution switches. The addition of label-switching infrastructure did not cause any traffic disruption of the Layer 3 campus network, since forwarding in the global routing table would still continue. This way, the infrastructure to accommodate VPNs could be introduced in a smooth, nondisruptive manner.
Figure 3. Clients of Different VPNs Distributed Across Access Switches Check the Solution Reference Network Design guides under http://www.
cisco.com/go/srnd Cisco Systems, Inc.
All contents are Copyright © 1992–2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 6 of 10 A first test VPN was then created, and tests for that VPN were performed. It became apparent that the migration of customers into their respective VPN would be a straightforward task. Customers running legacy applications (non-IP or not supporting Layer 3 IP networks) were chosen to be migrated last. Clear guidelines on application requirements and migration timeframes were given to the customers several months in advance.
With this, all customers residing in either entirely separate networks or in a VLAN on the Alcatel infrastructure would get migrated bit by bit.
Also the Unique operations network was then put into a dedicated VPN.
The video surveillance solution from VisioWave (acquired by GE Security) as well as the X-ray equipment represented two special types of client VPNs. These VPNs would make heavy use of multicast. While multiple video streams would need to be viewable in multiple locations, the X-ray application also asked for live distribution of X-ray data to a central operations center. Although the previous network was not designed to meet large multicast requirements, multicast VPN (mVPN), an extension to MPLS VPNs, allowed an efficient transport of multicast traffic across an MPLS core.
Figure 4. Detail on VLAN to VRF Mapping