Requirements and Challenges
The e-Government campus network is an independent network that bears services for government office buildings, campuses, and administration organizations, in addition to deployment of small- and medium-sized data centers. Compared with enterprise campus networks, the e-Government campus network can meet the following requirements:
- Separates services from different departments but also connecting different levels of the same department. For example, the network separates Provincial Department of Culture services from those of the Provincial Department of Transportation but connects the Provincial Department of Culture to the upper-level Ministry of Culture and lower-level municipal culture departments.
- Secures government applications and information through a comprehensive network security protection solution.
- Uses highly reliable convergence devices to enable mass terminal access.
- Provides differentiated QoS services to ensure data bearing quality of key services.
e-Government Campus Network Solution
The following features ensure that Huawei's e-Government campus network solution can meet customer requirements:
- Virtual Local Area Network (VLAN) and Multiprotocol Label Switching (MPLS) VPN technologies that enable service isolation
- Cluster Switch System (CSS) and intelligent stack (iStack) loop-free Ethernet technologies that enhance network scalability and reliability
- Level- and service-based QoSs that ensures optimal user experience of key government applications
- Comprehensive network devices that enable all-round security protection for terminals, intranet borders, and egresses
- WLAN deployment solution that enables the office and visitor access through wireless networks
Figure 1:e-Government campus network solution architecture
Different Department Service Separation
Huawei’s solution separates different department services as follows:
- Creates independent VLANs for different departments.
- Connects departments' Local Area Networks (LANs) to the convergence exchange devices in the campus network. These devices act as level-3 gateways to enable route mapping between the VLAN and the MPLS VPN.
- Uses the Metropolitan Area Network (MAN) Provider Edge (PE) devices in the campus network egresses to perform MPLS label switching for campus network data streams.
Figure 2:Vertical service isolation using the VLAN and MPLS VPN
Loop-free Ethernet Network
Huawei uses the CSS and iStack technologies to develop a Loop-Free Ethernet (LFE) network, in which devices are stacked or deployed in cluster mode, as follows:
Device stacking
Two or more access layer switches are stacked using iStack technology.
Two convergence layer switches are deployed in cluster mode using CSS technology.
Two core switches are deployed in cluster mode using CSS technology. If devices are stacked or deployed in a cluster, when one device is faulty, another device automatically resumes services.
Link convergence
The solution uses the Trunk technology to enable link convergence. When one link is faulty, traffic is automatically switched to other normal links.
Figure 3:Loop-free Ethernet network architecture
LFE technology enables e-Government campus networks to support mass terminal access and enjoy highly reliable services on convergence and core layers. The LFE network is easy to deploy and needs only a few reliability protocols, which alleviates configuration and maintenance workload and minimizes system fault rate.
Level- and Service-based QoS
The e-Government campus network applies end-to-end QoS policies in all network nodes. Devices dispatch services based on QoS policies. Access points use Remark 802.1p and Differentiated Services Code Point (DSCP) to classify traffic. Other nodes dispatch services based on the traffic classification. In most cases, devices dispatch services based on the Strict Priority (SP) policy and on the Weighted Fair Queuing (WFQ) and Hierarchical QoS (HQoS) policies when needed.
Figure 4:Campus network QoS solution
Terminals, Intranet Border, and Egresses Security
The system uses the following security protection technologies and mechanisms:
Remote security: IPSec and Secure Sockets Layer (SSL) VPN
Border defense: Firewall, Intrusion Detection System (IDS), and Intrusion Prevention System (IPS)
Network supervision: Access Control List (ACL) traffic control, defense against Dynamic Host Configuration Protocol (DHCP) spoofing attacks, ARP spoofing attacks, and IP address spoofing attacks, Address Resolution Protocol (ARP) traffic control, DHCP traffic control, and MAC address table protection against capacity attacks
Access security: Network Access Control (NAC) and user and port isolation
Figure 5:Comprehensive security solution for e-Government campus network
WLAN Deployment
Attachment Circuit (AC) devices are deployed in the core layer of the campus network in active and standby modes. The AC manages Access Points (APs) and wireless users in a unified manner. AC devices include easy-to-manage plug-in ACs in core switches, such as the S9700 and S7700 series, and independent AC devices, such as the AC6605.
Huawei APs support self-adaption of signaling channels and power, which facilitates wireless network deployment.
The solution provides dedicated Service Set Identifier (SSID) for the visitor zone. Private VLAN mapping separates the visitor zone from the intranet.
Figure 6:e-Government campus WLAN deployment solution
Highlights
Easy deployment: Huawei APs support signaling channels and power self-adaptation, which simplifies network deployment.
Easy operation and maintenance: The solution centrally deploys ACs at the core layer. The eSight network management platform manages wired and wireless networks in a unified manner.
High reliability: The active-standby AC solution improves wireless network reliability.
High security: The visitor zone is separated from the intranet, enhancing system security.
Customer Benefits
Huawei’s e-Government campus network solution provides a wide range of end-user and customer benefits:
- Virtual service isolation and differentiated service bearing
MPLS VPN technology isolates services, cluster and stacking technologies improve switching capacities and enable multi-service bearing, and H-QoS technology allows multi-service dispatching and ensures an optimal user experience.
- Integrated wired and wireless networks
Wired and wireless networks provide all-round network coverage for campuses. The network convergence layer integrates ACs, ensuring wired and wireless networks have the same performance, security level, and reliability.
- High network security
Huawei's NAC improves overall system security. The comprehensive terminal access control mechanism performs local and remote authorization and authentication for wired and wireless terminals.
- Flexible branch service deployment
The intelligent multi-service gateway AR G3 supports multiple services integration, including access, routing, switching, security, and voice services. Various interfaces support flexible networks, which improves system scalability.
- Easy operation and maintenance
The solution supports unified network management and configuration-free device deployment, which simplifies system operation and maintenance and lowers Operation Expenses (OPEXs).