ICC Home / Members / Meetings / Peer Support / Documentation / Projects
Minutes of September 11, 2008 ITAC-NI Meeting:
Link to ACTION ITEMS from meeting
CALL TO ORDER:
This meeting was scheduled in CSE E507 at 1:00 pm on Thursday, September 11th and was made available via videoconference with live-streaming and recording for future playback. Prior announcement was made via the Net-Managers-L list. The meeting was called to order by ITAC-NI chairman, Dan Miller, Network Coordinator of CNS Network Services.
ATTENDEES: Twelve people attended this meeting locally. There were two attendees via Polycom videoconference but there are no records of how many may have listened into the stream via a web browser using the web interface.
Viewing the recording
You may view the recording via the web at http://188.8.131.52:7734. Currently, you will need to click on the "Top-level folder" link, then the "watch" link next to the "ITAC-NI Meeting_11Sep08_12.45" item. This will likely be moved into the ITAC-NI folder shortly. Cross-platform access may not be available; on the Windows platform you will have to install the Codian codec.
An archive of audio from the meeting is available.
1) Approve prior minutes
Steve Lasley had noted several typos which he agreed to fix, but no other corrections or additions were offered and the minutes were approved without further comment.
2) ITAC subcommittee chairs will be meeting with the CIO Friday. Does the committee have any questions to relay?
Dan Miller asked if any of our committee members wish to provide input for tomorrow's meeting.
2-1) Will the ITAC Committee begin to meet again?
2-1-1) ITAC is to be re-formed and reactivated
Dan Cromer related that Dr. Frazier spoke on that matter at a recent Data Infrastructure meeting. Dan said that his intention is to continue with the various sub-committees and re-form/re-activate the IT Advisory Committee itself.
2-1-2) There is frustration over lack of communication
Ty expressed his desire for better communication from administration with IT people across campus. Dave Pokorney mentioned the IT Connections newsletter. Ty responded that this contained an Open Letter to UF OIT Staff, but was not addressed to the larger IT community. While Dave said he believes Dr. Frazier is currently spending his timing setting up the very communications which Ty desires, Ty indicated his frustration over having had no word for such a long time. When Dan Cromer suggested that no news was good news, Ty responded that no news means you will find out what happened after it happens.
3) Continued discussion on Minimum Standards for Networking across campus
Dan Miller introduced the topic saying the plan was to go through the list of major networking services and note how things are done in different places across campus.
3-1) A framework for discussion
Tom Livoti passed out copies of the new HealthNet Service-Level Objectives which are available via the web from the HealthNet web site. Ty said this was recently developed and was roughly based on CNS's Wall-Plate Services Service Level Objectives document.
It was decided that the committee would go through the HealthNet SLO document point-by-point and that the group would note differences/similarities between HealthNet and CNS as they went along.
3-2) Service provided
3-2-1) Desktop connections
Extending the local network is not allowed
HealthNet includes a caveat akin to the CNS Wall-Plate that end-users and local administrators cannot implement their own network infrastructure.
HealthNet provides ubiquitous PoE
Tom Livoti explained that PoE is available on every port on every closet switch. They are currently using PoE-AF but are looking at the proposed Enhanced PoE for the new Biomedical Sciences building in order to power the 802.11n Wireless Access Points (WAPs) that are planned there.
HealthNet VoIP/PoE/UPS implementation emulates the analog phone system
Erik Deumens asked about the advantages of PoE. Tom responded that this is needed to power VoIP phones and WAPs; without that, separate electrical runs would have to be made available for such devices. Ty mentioned that one of the advantages of the VoIP phones is that you can simply unplug them at one location and plug them into another and things still work. Universal PoE supports doing that anywhere. Tom added that using a properly-sized UPS in the closet with that makes for a more stable and manageable situation as compared to using individual power bricks for phones. In that fashion, phone service can thus be maintained even during brief power outages.
Handling unusual power needs
Dan Miller mentioned that clearly the newer WAPs have driven both HealthNet and CNS to look for more capable PoE solutions. There are other devices out there, however, that have even higher power requirements. Dan asked Tom if they had reserved the right to say no if someone has exceptional needs. Tom replied "absolutely." Ty said that if someone came to them with higher power needs than they can supply then they would work with them to get a power injector. They would not change out the switches simply because a few folks had unusual requirements.
Tom added that as PoE capacities grow over time we may eventually have to begin looking at air conditioning the ceilings. A fully populated 30 amp box can cause an 8 degree C gain from the current running through the wires. We are way underneath those levels at this time however.
HealthNet's handling of switch power budgets
Tom related that they know what the switch can handle and size the UPS to the maximum utilization of the switch. Different VoIP phone models have differing power requirements and they take that into consideration. There really are enough of the PoE devices, however, to cause problems. All their switches have 2800 watt redundant power supplies. Even in the HPNP building, which probably contains their most saturated switches, they have not seen more than 6-7 amps used out of the 20 amps available. That's on a 240 port switch with 80% phone utilization.
HealthNet's UPS implementation
Dan Miller asked if they utilized redundant UPS's. Tom responded that they utilize one UPS per switch. The UPS is plugged into emergency power (where available) and they plug the second switch power supply into commercial power. Tom said the power is fairly stable in the HSC area and when it goes out it is usually because someone did something bad rather than because of an act of nature. VetMed tends to get hit by power problems more than the rest of them. Most (not all) of the buildings there now have emergency diesel generators. They try for a 45 minute run-time target on their UPS configurations, but actually get much better than that because it is spec'ed for a fully populated system.
HealthNet's port utilization densities
When asked by Tim, Tom replied that they use a lot of the Cisco Catalyst 4500 Series Switches because they have many very high density areas to cover, but they don't fill those chassis with cards, obviously. They average roughly 70% port utilization over 11,600 ports.
3-2-2) Server connections
Locally controlled switches are not allowed
Tim asked about standards for individuals wanting to run their own switch. Todd Hester said that CNS is not offering that service at this time. The only exception there is for the High Performance Computing (HPC) Cluster. Tom said that HealthNet maintains control of all switches. In high density locations such as machine rooms and the Communicore's Testing Center they dedicate a switch to the room, but it is still managed by HealthNet. Those switches are connected back to the main closet via fiber and are housed in locked cabinets.
Special exceptions do exist
There are situations, such as at the Cancer/Genetics building, where private locally managed networks are permitted. They have software, for example, that requires Windows 95 because the vendor doesn't want to go back to the FDA for approval. Those machines are on a private network that goes nowhere. Dan Miller said that this sounded very similar to the CNS exception for the HPC.
3-2-3) Core Network Support
HealthNet is moving to a 10 Gigabit core
HealthNet provides dual Gigabit network connectivity to each of their buildings and are moving to a 10 Gigabit core. Then are eventually looking at 10 Gigabit to the building POPs.
They have two pairs of core routers--one for Shands and one for HealthNet. Chris Stowe of Shands has been working with Chris Griffin of CNS on upgrading the links to campus so they are 10 Gigabit on either side. They want to move away from static routing to some dynamic format. They are looking at BGP, but ran into some issues which they are working through.
Network services across Shands facilities
HealthNet and Shands share fiber but not closets. There are some cases where a HealthNet installation supports both UF and Shands personnel, however; one example is the Orthopedics Institute. In other locations, if Shands predominates on a floor then Shands services that floor; if UF predominates, then HealthNet services the floor.
The Jacksonville connections
The network in Jacksonville is run completely by Shands. They are connected to HealthNet here via a DS3 line. That connection is made redundant by another DS3 passing through Lake City.
Dave Pokorney mentioned looking into an FLR connection but Ty said network cost sharing between Shands and HealthNet always makes such decisions complicated. They do have fairly frequent NAT and firewall issues that affect distance education between Jacksonville and here. The Jacksonville network is out of HealthNet's control and apparently out of the control of Shands Gainesville network as well.
Dan Miller said that the closest comparison that CNS has to HealthNet Gainesville/Jacksonville situation is with the IFAS RECs which involves 200 ports x 15 sites at best.
3-2-4) Supported Equipment and Infrastructure
Looking at Juniper networks
Ty asked if CNS was looking into Juniper Networks. Dan Miller said that this was primarily on the FLR side. Dave Pokorney said that FLR is a member of The Quilt for bulk-pricing on network implementations. FIU is looking at Juniper and the FLR lab tests Juniper equipment so they can address issues which may arise with participants utilizing that equipment. The University of Miami is another FLR member that utilizes Juniper. FLR works with many of the network vendors and Juniper is just one of those.
Ty said they went through a major pricing and evaluation process with Juniper when looking at replacing their core boxes. The end result of that was HealthNet decided to stick with Cisco for their core and not go with Juniper.
Dan Miller said that CNS had looked at Juniper when replacing the Internet POP routers. The equipment was nice but it was quite expensive.
3-2-5) Network Malfunction Resolution
Help Desk situation at HSC
Dan Miller asked about the Help Desk situation at HSC. Ty said that over the years the number of calls coming in where somebody could actually do something over the phone had dwindled to almost none. Consequently, the two individuals who were answering those phones and not deployed in the field were laid-off. A third person who did laptop setups was also laid-off. There is going to be some more reorganization going on regarding telephone help and Ty believes it will eventually morph into an all-in-one service desk where individuals would call to assistance on all sorts of issues from scheduling AV equipment for pickup to a professor having problems with a presentation.
They will accept work orders for things like printer installs, while supporting more immediate service for incidents causing "down-time".
HealthNet uses the Shands Help Desk
HealthNet uses the Shands Help Desk, however. There is a 24/7 phone line to call when network downtime occurs. During the day the technician on call will come and at night they will page the technician. The frontline support for network problems is thus separate from that of other IT problems. Health expects that the location provider out in the department is doing appropriate troubleshooting to eliminate the network.
Problem Resolution Procedures
HealthNet requires that users contact local IT support for assistance in determining if they have a network problem. Those personnel would then contact the Shands Help Desk if a network issue was involved. They have two status levels for problems: "Routine" and "Work Stoppage". IT personnel may use the "Work Stoppage" code word if the problem is deemed urgent. The Shands Help Desk utilizes the Remedy system to handle it trouble tickets.
3-2-6) Network Performance Monitoring
HealthNet's monitoring systems
Dan Miller asked if HealthNet's monitoring system generated 24/7 alerts and Tom replied that they do. For most things HealthNet uses CiscoWorks and finds it works well. They also use Statseeker for looking at port utilization. The 24/7/365 operations staff monitor the alerts and make the decision on whether to page a network engineer. This would happen, for example, if a closet went down.
Access Points handled as "best effort"
Access Points are handled on a "best effort" basis by both HealthNet and CNS. Shands, however, handles those differently because they are using them for things like infusion pumps; those have a very high density with 100% uptime.
3-2-7) Network Upgrades
Renovations must pay for equipment
Dan Miller asked how it would be handled if a previously little used area all-of-a-sudden became filled with users and they requested ports in excess of current capacity requiring another chassis. Tom and Ty said that if more electronics are required for a renovation then the renovation is required to fund it.
3-2-8) Network Enabling Applications
HealthNet moving to Bluecat for DHCP
HealthNet is moving to BlueCat for DHCP. That will allow them to have more control over how IP numbers are distributed with the new zones which Avi Baumstein is creating. Shands is doing a version of this themselves. The Bluecat Proteus devices will be redundantly configured.
All DHCP at HSC is provided by HealthNet
Dan Miller asked whether they allow local units to handle their own DHCP. Tom said that they did not though they do have a couple legacy examples of that. Tom believes DHCP needs to be centrally handled.
All DNS at HSC is provided by HealthNet
Dan asked the same question about DNS and Tom replied that they support dynamic DNS and handle all the DNS as well; they do not allow local admins to run DNS.
3-2-9) Security Services
Both HealthNet and CNS hand security off to their respective security groups.
3-2-10) Network Address Space Management
HealthNet IP allocation policies
Dan Miller asked if HealthNet has any guidelines on when they will grant new subnets or VLANS for various units and departments. The concept behind the zones they are developing is to provide the rules for VLAN assignment. HealthNet is moving to greater use of private IP space; since that is essentially free they try to accommodate what people need. In server rooms they try to provide maskable blocks of address space.
HealthNet handling of address space ranges
Dan Miller asked if they try to divide up the various end-user groups into their own address space ranges and their own subnet. Tom replied that this is mostly done geographically.
3-2-11) Client Remote Access VPNs
HealthNet utilizes CNS for their VPN implementation.
3-2-12) Wireless Services
HealthNet provides two levels of wireless access
Tom explained that HealthNet provides two levels of wireless access. Their hnet-public access is equivalent to the CNS walk-up authentication. Anyone with a Gatorlink account may access this and the traffic is not encrypted. Devices connecting will be scanned and it problems are found the user will be pointed to resources for resolving those. The other type of access, hnet-secure, uses an 802.1x supplicant and is fully encrypted. Devices connecting here are managed devices and do not get scanned. Departmental IT staff is expected to keep those patched.
"A" radio usage at HealthNet
Dan Miller asked if they are installing the "A" radios. Tom replied that they have the capability (Cisco 1252 with "A" radios installed) and plan to make that active in those places which get "N".
VoIP over Wireless
HealthNet does VoIP over wireless in certain locations. In some cases it is used to overcome the difficulties of wiring certain locations. For cost reasons they do not want this service to get out-of-hand however and issue the caveat that it will get limited deployment.
Charge-back for wireless?
Dan Miller asked and Tom confirmed that there is currently no charge back for high-density wireless. Dan wondered if they ever had issues with folks trying to avoid wired port charges by utilizing wireless. Ty mentioned that this problem is being discussed and solutions are being proposed. Currently wireless is funded out of the port charges. They have looked at ways to charge separately for wireless but none of those solutions are easy; they don't want to have to add more staff so they can charge for wireless.
CNS deployment of WiSM and LAPs just starting
Dan Miller said that CNS is heading in the same directions as HealthNet with wireless. They are behind HealthNet in WiSM deployments with lightweight access points (LAPs). They are putting together a project plan to go back and remediate areas with legacy hardware. They have a standard which states they will not support VoIP over wireless in areas that are not LAP capable.
3-2-13) Voice Services
Discussion on these points had been handled earlier in the Desktop connections portion of the "Services provided" section.
3-2-14) Virtual Private Networks (VPNs) and Private WAN links
HealthNet is currently using Cox cable for some of their point-to-point connections. A 10 Mbps uplink is $350/month and a 100Mbps runs about $750/month. They have 3-4 outlying departments which are using this and they have deployed VoIP in those areas as well.
3-2-15) Video Services
Video Services are provided outside either HealthNet or CNS Wall-Plate
Dan Miller said that this item is not covered in their Wall-Plate SLO as they left that to Video Services. Tom responded that this is what they did, but they included a statement to that effect in their SLO.
3-2-16) Connectivity for the High Performance Computing (HPS) Research Network
HealthNet providing HPS access at several sites
HealthNet is providing this for Cancer/Genetics and will likely do this at Biomedical Engineering and at the Pathogen Research Center (though they are going to connect back via the Cancer/Genetics building).
Research network is isolated
The key standard there is that the research network is separate from the production network and the two join only at the research router at CNS so appropriate filters may be maintained.
3-3) HealthNet Organizational Chart
HealthNet VoIP system admins
Tim Fitzpatrick had some questions on the HealthNet Organization Chart. He wanted to know if the VoIP system admins listed entailed 2 FTE. Tom responded that this was a single FTE split 0.8/0.2 between those two individuals listed.
HealthNet phone assistants
Tim asked what the phone assistants did. Tom responded that they put phones together and deliver them. All the work on the network side is done before they are distributed. Tim said that they have found that the VoIP phones didn't require a separate person for on-going support.
HealthNet and Shands coordination
HealthNet coordinates closely with Shands which has their own networking group under Chris Stowe. They have biweekly project planning meetings with the Shands group as well.
Tim asked about "tariff" ports at HealthNet. Ty explained that these are ports which are leased rather than being charged on a per-port cost.
3-3) HealthNet SLO appendices
3-4) Summary discussion: HealthNet vs. CNS
Tim Fitzpatrick stated that when the HealthNet and CNS Wall-Plate SLOs are laid out side-by-side (see tables above) the similarities overwhelm the differences. He still feels it would be helpful to have Housing as a third column on that.
4) Future Topics for Consideration
4-1) Visit with Chuck Frazier
Tom and Ty mentioned that they would very much appreciate getting Dr. Frazier to an upcoming meeting. They would like to ask about the direction he will be taking and the goals of his planning processes.
4-2) Special printer IP range assignment request
Erik Deumens mentioned that wanted to negotiate a means by which printers within an area would get a special private IP range that would sequester them better from the rest of the network so they couldn't cause problems for the network in general. He believed this might be something generally useful to others as well.
Several ranges have been assigned for various uses
Dan Miller mentioned that several ranges had been identified for different usages in the past. The 10.xxx.xxx.xxx space permits Internet access via NAT, the 172.XXX.XXX.XXX allocations were intended to be routed on-campus only and never leave campus, and then the 192.xxx.xxx.xxx which was intended to be local.
Maskable ranges likely the best solution
Dan believed he would prefer to handle this by using the 10.XXX.XXX.XXX address space, but they could identify a maskable range and handle that via ACLs. Tom mentioned that this is what they are doing with their zones at HealthNet; there is one zone that does not route past the firewall and all the printers will be on that. They are looking at basing that on MAC address; you then tell the Bluecat the zone you want that MAC address to reside in. That way the device is dynamically configured to the proper VLAN upon bootup. Even if the device is moved it will still be placed in that same VLAN.
Request for standard or best practice development
Erik asked that some standard or best practices be developed for doing this under CNS Wall-Plate. Dan Miller said that they could look at that and perhaps get comment from the security group on that as well. Dan imagines they will still require that printers get patched and so-forth because it reduces the vulnerability.
4-3) Confusion over Domain Name Policy
Dan Cromer raised an issue for Chris Leopold. Chris had noted a disparity between Web Administration's "Domain Namespace other than ufl.edu" documentation and the CIO's Domain Name Policy. Namely, the former was more lenient in not requiring that non-UF domains be formally approved. It was suggested that Christine Schoaf might be invited to a future meeting to discuss that confusion.
The next regular meeting is tentatively scheduled for Thursday, October 9th.
last edited 22 October 2008 by Steve Lasley