Fe)
FUJITSU
FUJ00088557
FUJ00088557
Wide Area Network HLD &
Commercial in Confidence
Document Title:
Document Type:
Release:
Abstract:
Document Status:
Author & Dept:
Internal Distribution:
External Distribution:
Approval Authorities:
HNG-X Wide Area Network HLD
High Level Design (HLD)
Not Applicable
HNG-X Wide Area Network high level design. Provides WAN
connectivity for support services and external companies. Excludes
branch access connectivity.
APPROVED
Stephen Wisedale
As per review details
As per review details
Name Role Signature Date
Mark Jarosz Systems Architect
Pat Lywood Infrastructure Design
Note: See Post Office Account HNG-X Reviewers/Approvers Role Matrix (PGM/DCM/ION/0001) for guidance.
©Copyright Fujitsu Services Ltd(2009)
UNCONTROLLED IF PRINTED
‘Commercial in Confidence Ref: DES/NET/HLD/0009
Version: Vit
Date: 16/11/09
Page No: 1 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
he)
FUJITSU Commercial in Confidence
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL...
0.1 Table of Contents.
0.2 Figures.
0.3 Tables.
0.4 Document
0.5 Review Details.
0.6 Associated Documents (Internal & External,
0.7 Abbreviations.
0.8 Glossary...
0.9 Changes Expected.
0.10
0.11
Basansaa an
Daroros
2 OVERVIEW......
2.1 Cable and Wireless WAN.
2.2 Live branch access.
2.3 Support connectivity.
2.6 —_Inter-DC connectivity.
3 REQUIREMENTS.
4 DESIGN...
4.1 Target Design...
4.44 Support acces: 21
4.1.2 Test counter access. 21
4.1.3 External Client access. 22
4.14 Non-C&W connectivity. 23
4.1.5 Clarification of handoff router 23
4.2 Access classes...
4.3 Data Centre WAN presentation.
44 Routing...
4.4.1 WAN access methods.
4.5 — Internet Access...
4.6 C&W CE router consolidation.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 2 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
he)
FUJITSU Commercial in Confidence
4.7 Support networks...
4.7.1 Support connecti
4.7.2 Bracknell BRAO1..
4.7.3 Stevenage STE04.
474
475
4.7.6 Belfast IRE11/IRE19
4.7.7 Lewes LEW02......
4.7.8 Warrington WAR1
4.7.9 — Solihull SOL10..
4.7.10 Out-of-hours access.
4.8 Test counter access.
4.8.1 Test rig connectivi
4.8.2 Lewes LEW02 test rig networks.
ity.
4.8.3 I RDT rig in BRAO1 and LEWO2. 34
4.9 External connections. 36
4.9.1 Managed CPE refresh. 36
4.9.2 External client tunnel termination.
4.10 Summary of VPN requirements.
5 MIGRATION...
5.1 Inter-DC connectivity.
5.2 Support connectivity.
5.2.1 Out-of-hours support access..
5.3 Test rig access.
5.4 External connections.
5.4.1 Post Office Limite
5.4.2 DVLA...... 41
5.4.3 Alliance and Leicester. 41
5.4.4 E-pay...
5.4.5 Streamline (Debit Card)...............
5.4.6 I CAPO (EDS), LiNK and Moneygr.
5.5 Retirement of Zergo hardware encryption devices.
6 DESIGN CONSTRAINTS.
6.1 Device naming.
6.2 Traffic engineering.
6.3 Resilience...
6.4 Network cal
6.5 Network Protocols.
6.6 IP addressing...
6.7. Routing protocol
6.7.1 BGP.
6.7.2 OSPF
6.7.3. VRRP...
6.7.4 — Static route:
6.8 Bandwidth requirements..
6.9 Cable and Wireless VPN constraint:
6.9.1 C&W IP Connect Direct QoS....
6.10 Device deployment....
6.10.1 Network Management.
6.10.2 Routers...
6.10.3 Switches (core sites and BRAO1 interlink).
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 3 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
Fe)
FUJITSU
Commercial in Confidence
6.10.4 Network Time Source...
6.11 Hardware requirements.
7 NON-FUNCTIONAL REQUIREMENTS.
7.1 Security...
7.2 Availability and Qo:
7.2.1 C&W IP Connect class of service.
7.3 Service Level Agreements......
Alliance and Leiceste:
E-pay...
B CIRCUIT REQUIREMENTS
B.1 IRE11 and IRE19..
B.2 Regional support sites..
B.3_ Post Office Limited.
B.4 Streamline..
B.5 Circuits for cessation on completion..
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 4 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
2
FUJITSU
Commercial in Confidence
0.2 Figures
Figure 1 Network Architecture...
Figure 4 Target design — External access via C&W.
Figure 5 Target design — Non-C&W external clients...
Figure 6 Data Centre Access LAN physical....
Figure 7 Generic WAN to data centre connectivity...
Figure 10 RMGA LAN VPN access............
Figure 7 Corporate LAN access.
Figure 14 External client handoff - BGP routing.
Figure 16 External client tunnel topology.
0.3 Tables
Table 1 External connections...
Table 2 Access classes.
Table 3 C&W BRAO1 consolidation...
Table 5 Summary of C&W VPN requirements.
Table 7 Bandwidth requirements...
Table 8 Four centre operation - test link bandwidth requirements.....
Table 10 C&W VPN constraints.................
Table 11 Device Management Toolsets.....
Table 12 WAN hardware requirements....
Table 13 Security requirements...........
Table 14 IPSec security requirements.................
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 5 of 54
Fe)
FUJITSU
Wide Area Network HLD
Commercial in Confidence
FUJ00088557
FUJ00088557
POST
OFFICE
0.4 Document History
Version No. Date Summary of Changes and Reason for Issue Associated Change -
CP/PEAK/PPRR
Reference
4 18/05/07 First draft
02 05/06/07 Changes identified at team group review
03 07/06/07 Draft for review
04 12/07/07 Complete revision - to use C&W network instead of FSBN
1.0 09/08/07 For approval
14 16/11/09 Revised to reflect changes during implementation
0.5 Review Details
Review Comments by 30/11/09
Review Comments to Stephen
PostOfficeAccountDocumentManagement}
Wisedale
Mandatory Review
Role Name
Infrastructure Design Pat Lywood
Infrastructure Design Dave Tanner
Infrastructure Design Dave Haywood
Architect Mark Jarosz
ssc Tony Little
Security Tom Lillywhite
Business Continuity ‘Adam Parker
Sv&l John Rogers
RVMig Graham Jennings
Role Name
Security & Risk Team CSPOA Security
Programme Manager
Alan D'Alvarez
Applications Architecture David Johns
System Qualities Architecture Dave Chapman
Architect Jason Clark
Security Architect Jim Sweeting
Test Design George Zolkiewka
Head of Service Management
Gaetan van Achte
Head of Service Change & Transition
©Copyright Fujitsu Services Ltd(2009)
UNCONTROLLED IF PRINTED
Graham Welsh
‘Commercial in Confidence Ref:
Version:
Date:
Page No:
DES/NET/HLD/0009
Vit
16/11/09
6 of 54
2
FUJITSU
Wide Area Network HLD
Commercial in Confidence
FUJ00088557
FUJ00088557
Service Support
Kirsty Gallacher
Service Network fan Mills
Data Centre Migration Geoff Butts
integration Team Manager Peter Okely
Testing Manager Debbie Richardson
SV&l Manager Sheila Bamber
Tester Hamish Munro
RV Manager James Brett (POL, JTT)
POL Design Authority lan Trundell (POL, via Document Control)
VI & TE Manager Mark Ascott
Integrity Testing Alan Child
Integrity Testing Michael Welch
Core Services Ed Ashford
Core Services Andrew Gibson
Business Architect Gareth Jenkins
Development Graham Allen
Solution Design Architect Sarah Selwyn
Software & Solution Design Developer Stuart Honey
Service Manager - Retail and RMGA Claire Drake
Issued for Information — Please restrict this
distribution list to a minimum
Position/Role Name
(*) = Reviewers that returned comments
0.6 Associated Documents (Internal & External)
ference Version te Title Sour
PGM/DCM/TEM/0001 I 1.0 13/6/06 Fujitsu Services Post Office Account I Dimensions
(00 NOT REMOVE) HNG-X Document Template
ARC/NET/ARC/0001 I V0.7 04/10/07 HNG-X Technical Network I Dimensions
Architecture
ARC/SEC/ARC/0003 I V2.0 08/01/09 HNG-X Technical Security I Dimensions
Architecture
DES/NET/HLD/0008 I V1.2 13/11/08 Data Centre LAN Design Dimensions
DES/NET/HLD/O010 I VO.11 12/06/09 Branch Router Network High Level I Dimensions
Design
DES/NET/HLD/0014 = I V2.0 28/07/08 Branch Access HLD Dimensions
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DES/NET/HLD/0009
Version: Vi4
Date: 16/11/09
UNCONTROLLED IF PRINTED
PageNo: 7 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
Unless a specific version is referred to above, reference should be made to the current approved
versions of the documents.
0.7 Abbreviations
Abbreviation Definiti
A&L Alliance and Leicester pic
AAQ Advanced Application QoS
AES Advanced Encryption Standard
AF Assured Forwarding
AS Autonomous System (BGP)
ASA Adaptive Security Appliances™ (Cisco Systems inc)
BGP Border Gateway Protocol (routing protocol)
BRAO1 Fujitsu site: Bracknell 01
BTLO1 Fujitsu site: Bootle 01
C&W Cable and Wireless pic
CAPO Card Account at Post Office
CE Customer Edge [router] (MPLS)
cls Corporate Information Services
CPE Customer Premises Equipment
Dc Data Centre
DMZ Demilitarised Zone
DN Design Note
DR Disaster Recovery
DSCP Diff(erentiated) Services Code Point
DVLA Driver and Vehicle Licensing Agency
DWDM Dense Wave Division Multiplexing
EBGP Exterior Border Gateway Protocol
EF Expedited Forwarding
FSBN Fujitsu Services Backbone Network
GRE Generic Routing Encapsulation
HLD High Level Design
HSD Horizon System Helpdesk
HSRP Hot Standby Routing Protocol (proprietary protocol - Cisco Systems inc)
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DES/NET/HLD/0009
Version: Vi4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 8 of 54
FUJ00088557
FUJ00088557
oO Wide Area Network HLD
FUJITSU Commercial in Confidence ere)
IBGP Interior Border Gateway Protocol
IGP Interior Gateway Protocol (e.g. OSPF)
IMS Management Information Services
IP Internet Protocol
IP/MPLS Internet Protocol/Multi Protocol Label Switching
IPsec IP Secure
IRE11/ IRE19 Fujitsu site: Ireland 11 and Ireland 19
ISDN Integrated Services Digital Network
L2VPN Layer 2 Virtual Private Network (includes Pseudowire, PWE3, draft Martini & VPLS)
L3VPN Layer 3 Virtual Private Network (RFC2547bis)
LAN Local Area Network
LLD Low Level Design
MED Multi Exit Discriminator (BGP)
MIS Management Information Services
MPLS Multi Protocol Label Switching
MSFC. Multi-layer Switch Feature Card™ (Cisco Systems inc)
NAT Network Address Translation
NTP Network Timing Protocol
ocms Operational Change Management System
OSPF Open Shortest Path First (routing protocol)
PE Provider Edge [router] (MPLS)
POP Point of presence
Qos Quality of Service
RDT Reference Data Team
RMG Royal Mail Group
RMGA Royal Mail Group Account
SAN Storage Area Network
SAS Secure Access Server
SDCO1 Fujitsu site: Southern Data Centre 01
SNMPv3 Simple Network Management Protocol version 3
ssc System Support Centre
SSHv2 Secure Shell version 2
SSL Secure Sockets Layer
STE04 / STEOS Fujitsu site: Stevenage 04 and Stevenage 09
TCY01 / TCY02 Fujitsu site: Telecity 01 and Telecity 02 (TelecityRedbus group — collocation sites)
VLAN Virtual Local Area Network
VPLS Virtual Private LAN service
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DES/NET/HLD/0009
Version: VA
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 9 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
he)
FUJITSU Commercial in Confidence
VPN Virtual Private Network
VRF Virtual Routing and Forwarding instance
VRRP Virtual Router Redundancy Protocol
WAN Wide Area Network
WGNO1 Fujitsu site: Wigan 01
www World Wide Web (Internet)
0.8 Glossary
Term Definition
802.1q IEEE standard for VLAN encapsulation (VLAN trunking)
0.9 Changes Expected
signee
0.10 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, whilst every
effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused)
sustained as a result of any error or omission in the same.
0.11 Copyright
© Copyright Fujitsu Services Limited (2009). All rights reserved. No part of this document may be reproduced,
stored or transmitted in any form without the prior written permission of Fujitsu Services
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 10 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
1 Introduction
1.1. Purpose of document
This document describes the Wide Area Network for HNG-X. The document describes the target design
with connectivity to two new data centres in Northern Ireland, and considers parallel operation and inter-
connection with the existing Horizon network. The document covers access for support locations and for
external connections but specifically excludes the branch access network.
1.2 Readership
This document is intended for design and operational staff involved with low-level design,
implementation and operation of WAN platforms or the development of service-specific solutions across
the WAN. The document may also prove useful for anyone that requires a high-level appreciation of the
WAN for HNG-X.
1.3 Scope
e WAN HLD will include wide area network capability in support of:
o External client connections
o Fujitsu support networks
o Test environment
co Inter-DC WAN (WGNO01/BTLO1 — IRE11/19 via C&W IP Select)
o Migration
e WAN HLD will specifically EXCLUDE:
o Branch Access Network HLD (WAN) — documented separately
co _Inter-DC LAN and SAN interlinks (IRE11 - IRE19 via dedicated DWDM) — documented
separately
o Data Centre LANs
Support centre LANs
o External client LANs
°
1.4 Assumptions
VLANs provide adequate separation for differing traffic types and services.
The geographic extent of support access within Fujitsu Services is limited to the following sites:
e Bracknell BRAO1
« Lewes LEW02
e Stevenage STEO4
° Crewe CREO2
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 11 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
2
FUJITSU
Commercial in Confidence
e Wigan WGNO1
* Warrington WAR13
e Ireland IRE11
° Ireland IRE19
e Solihull SOLO2
1.5 Risks
Resilience at IRE11 and IRE19 is provided through triangulation between sites. Diverse fibre routes will
be used for the DWDM service between the sites. There is a risk of a dual failure impacting the active
site if minimum spatial separation requirements are not adhered to.
1.6 Dependencies
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 12 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
2 Overview
The purpose of the Wide Area Network (WAN) is to provide connectivity for external clients, test rigs and
support access, along with inter-data centre connectivity for four data centre operation. This document
specifically excludes branch access which is the subject of a dedicated HLD (DES/NET/HLD/0014). Also
excluded is inter-data centre connectivity between the two Northern Ireland data centres as this is
included in the LAN HLD (DES/NET/HLD/0008).
The following diagram, taken from the Technical Network Architecture document (ARC/NET/ARC/0001),
provides a high-level view of the relationship of the WAN to other network areas.
IRE 1x Data Centre. Data Centre
Core Tier IP ‘Storage
High Speed Layer 3 switohing between Routing
Distibution Tiers
Connectivity between Data Centres T
Distribution Tier \
Security (VPN, Firewalls, IDS)
Branch Client Dost Support Client
Access Tier or
Remote Access ) ] I SAN
Connectivity between Data Centres’ I peeeenedennonns ‘
, \ esis 7 extension
Security (VPN, Firewalls IPS) I PReeing rangement}
j
Branch Wie Area Netrk NGA provided Wide Aes NetWork Allen
Wide Ara Hebron)
Remote [~ Client Post Support Wigan & Bootle
Branch LAN Locations} Office Data Centres
[ Peering Arrangemnent/ Trans LAN I
Post
Office uppor) jorizon eset
letwor letwor Network, abot
Figure 1 Network Architecture
The existing Wide Area Network serving the Wigan and Bootle data centres makes extensive use of
layer 3 VPNs (L3VPNs) from Cable and Wireless. These VPNs will be extended to include the new data
centres for HNG-X. The two new data centres in Northern Ireland, IRE11 and IRE19, operate in an
active/DR relationship, although the network, particularly the WAN access tier, operates in an
active/active manner. In addition to operating in a four data centre configuration for the period of
migration, the network will need to support the dual running of Horizon with HNG-X as branches are
migrated across.
This document considers the target design, and an interim design to allow for four data centre operation,
along with migration towards the target design.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 13 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
2.1 Cable and Wireless WAN
The WAN solution is based on the continued use of C&W for the WAN. C&W provide the RMGA
account with multiple MPLS layer 3 VPNs over which RMGA will build secure connectivity using IPSec
encrypted GRE tunnels as described later in this document.
2.2 Live branch access
Live branch access will continue to use the current live VPN which will be extended to include the new
data centres; IRE11 and IRE19. Branch access is described in the Branch Access HLD
(DES/NET/HLD/0014).
2.3 Support connectivity
Regional connectivity to the new IRE11 an IRE19 data centres is required from the following sites. These
are Fujitsu Services sites and the access is provided for Fujitsu Services staff to fulfil operational and
support roles. Access to IRE11 and IRE19 for all of these sites will be provided via a common ‘RMGA'
VPN on the C&W network.
e Bracknell BRAO1
e Lewes LEW02 - backup for BRA01 (test facilities and SSC DR)
e Stevenage STEO4
° Crewe CREO2
e Wigan WGNO1
e Warrington WAR13 — new site for Support teams moving from WGNO01 and BTLO1
e Ireland IRE11
e Ireland IRE19
* Current practice is that all firewall connectivity is managed by RMGA. Where corporate firewalls are used then a set of SLA/OLA’s
need to be put in place to ensure RMGA meet their ISO 27001 contractual obligations.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 14 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
2
FUJITSU
Commercial in Confidence
2.4 Test connectivity
New test rigs will be constructed in IRE19 (LST, ST, RV Mig, SV&I and RV Acc.), Unlike Horizon, where
dedicated C&W VPNs are provided per rig, HNG-X test counter WAN connectivity will comprise a single
new ‘test’ VPN presented at BRAO1, SDC0O1, TCY02, IRE11 and IRE19 sites. Inter data centre
connectivity for test rigs will be provided using dedicated IPSec/GRE tunnels over the Support VPN as
used in section 2.3.
2.5 External connectivity
The following external companies have WAN connectivity to Wigan and Bootle extended to include
IRE11 and IRE19.
* Post Office Limited (RMG)
« DVLA
« Alliance and Leicester
* CAPO (provided by EDS)
e = E-pay
e VocaLink
¢ Streamline
« MoneyGram International.
The following table summarises the services and connectivity requirements for external organisations:
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 15 of 54
fee)
FUJITSU
Wide Area Network HLD
Commercial in Confidence
FUJ00088557
FUJ00088557
Client Service Location Primary/ WAN WAN link CPE WAN
Secondar I provisio I ownership/ I ownership/ HLD:
y (DR) site I n managemen I managemen I in/out
t + of
scope
Post Office I Multiple Huthwaite Dual C&W IP RMGA RMGA IN
Limited applications primary Connect
(run by Direct
CSC)
Post Office I Multiple Hounslow DR C&W IP RMGA RMGA IN
Limited applications I (Sungard) Connect
(run by Direct
CSC)
Post Office I EDG (DR) Maidstone DR C&W IP RMGA RMGA IN
Limited (run by Connect
CSC) Direct
DVLA n/a Morriston, Dual C&W IP RMGA RMGA IN
Swansea primary Connect
Direct
DVLA n/a Swansea Dual C&W IP RMGA RMGA IN
Vale primary Connect
Direct
Alliance & Network Carlton Primary C&W IP RMGA RMGA IN
Leicester Banking Park, Connect
Leicester Direct
Alliance & Network Bootle Secondary I C&W IP RMGA RMGA IN
Leicester Banking (DR) Connect
Direct
CAPO. Network Doxford Primary C&W IP EDS EDS OUT?
Banking Connect
Direct
CAPO. Network Washington I Secondary I C&W IP EDS EDS OUT
Banking (DR) Connect
Direct
E-pay Electronic Kelting Primary C&W IP RMGA RMGA IN
Top-up House, Connect
(mobile Basildon Direct
phones)
E-pay Electronic Hornsby Sq, I Secondary I C&W IP RMGA RMGA IN
Top-up Basildon (DR) Connect
(mobile Direct
phones)
VocaLink Network Harrogate Primary MPLS VocaLink VocaLink OUT
? The WAN connectivity is out-of-scope as it is owned by EDS.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref: DESINET/HLD/0009
Version: Vid
Date: 16/11/09
UNCONTROLLED IF PRINTED
Page No: 16 of 54
fee)
FUJITSU
Wide Area Network HLD
Commercial in Confidence
FUJ00088557
FUJ00088557
Banking
VocaLink Network Leeds Secondary I MPLS VocaLink VocaLink OUT
Banking (DR)
Streamline I Debit card X.25 RMGA Streamline IN
(online
transactions)
Streamline I Debit card ISDN2e RMGA Streamline IN
(file transfer)
MoneyGra__I Money Minneapolis Frame MoneyGram I MoneyGram I OUT
m Intl. transfer , USA relay
MoneyGra__I Money Minneapolis ISDN2e RMGA (local I RMGA IN
m Intl. transfer , USA end only —
not
(backup) encryption)
MoneyGra Money Minneapolis Internet RMGA (local I RMGA IN
m Intl. transfer (test I , USA access access only —
access) (from not
BRAO1° encryption)
Table 1 External connections
Those sites shown as out-of-scope for this document will be subject to client specific LLD and TIS
documents developed with the individual organisations.
In addition to the principal external connections above, there may be a requirement for miscellaneous
dial access and/or Internet access for the following:
e EMC -dial access for remote diagnostics
e Fujitsu-Siemens — dial access for remote diagnostics (Bladeframes)
e Alarmpoint - PSTN dial-out from data centres to SMC.
e Outlet file feed to STE14 — requirement TBD
2.6 Inter-DC connectivity
Inter-DC connectivity (WGNO1/BTLO1 to IRE11/19) will be achieved using IPSec/GRE tunnels over the
Support VPN.
3 Internet access for MoneyGram Intl. will migrate to the proposed RMGA Internet Access solution when
available (for test rig access only).
©Copyright Fujitsu Services Ltd(2009)
UNCONTROLLED IF PRINTED
‘Commercial in Confidence
Ref: DES/NET/HLD/0009
Version: Vid
Date: 16/11/09
PageNo: 17 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
2
FUJITSU
Commercial in Confidence
3 Requirements
This document is based on requirements as described in the Technical Network Architecture and
Technical Security Architecture documents, along with support and test access requirements as provided
by individual support and test teams as described in the relevant sections.
All traffic is required to be encrypted across the WAN. Encryption will be provided by either the network,
using IPSec encrypted GRE tunnels, or at a session level using SSL*. RMGA are only responsible for the
encryption of traffic across devices under its control, and therefore excludes encryption of traffic for
MoneyGram Intl., CAPO, and other clients that provide their own WAN connectivity.
* SSL encryption will only be used for HNG-X counter application encryption as described in the Branch
Access HLD (DES/NET/HLD/0014).
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 18 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
he)
FUJITSU Commercial in Confidence
4 Design
The general approach for the Wide Area Network is to extend the current Cable and Wireless WAN to
include the new data centres in Northern Ireland. The network makes use of L3VPNs (RFC2547bis)
between all sites (C&W IP Connect service). Access to the data centres will follow one of two basic
approaches:
e VPNs will present to a directly connected handoff routers managed by RMGA within each site.
IPSec encrypted GRE tunnels will be used to carry encrypted traffic across the C&W provided
VPNs. This approach will be used for support users and external clients that use C&W VPNs.
e VPNs will redistribute into OSPF at the CE router for routing to the access platforms. Traffic will
be encrypted within the application and do not require tunnels across the C&W VPNs. This
approach will be used for branch access which is outside of the scope of this document (see
DES/NET/HLD/0014) but covered here for Test access.
The handoff routers, where used, will be low-end Cisco devices and will be deployed on a router per VPN
basis (VRFs may be used in some circumstances such as support for test LANs). Encryption will be
AES256 unless otherwise defined.
Note that C&W impose a limitation of 30 VPNs maximum on each of the CE routers at IRE11 and
IRE19.
There are several external clients that require connectivity but do not use C&W VPNs and will be
described separately, where the connectivity is owned and managed by RMGA.
4.1 Target Design
The target design has all services that are currently provided by the C&W IP Select network extended to
include the two new data centres in Northern Ireland.
The Horizon data centres at Wigan and Bootle operate in an active/active configuration. For HNG-X
however, the two new data centres in Northern Ireland will operate in an active/DR manner, with IRE11
as the normally active site. IRE19 will be used as a test facility under non-DR conditions. Although
applications and services from the data centres will operate as active/DR, the network will operate
active/active at all times.
Live traffic will be steered towards IRE11 under normal circumstances using BGP attributes. The local
CE router (and handoff router) will be preferred, and the path will be deterministic. Traffic will not be load
balanced across parallel paths. Test traffic will be steered towards IRE19 in a similar manner. Traffic
shaping will be provided to ensure that high volume test traffic does not adversely impact live traffic.
This is particularly important for VPNs terminating in SDCO1/TCY01. Support staff will have connectivity
to either site.
Failure of data centre WAN equipment on the preferred path (local CE and/or local Handoff router) will
result in traffic re-routing via the equivalent router in IRE19 and the intercampus LAN. Failover will be
dynamic with convergence dependent on the routing protocol in use.
Invocation of DR is a manual process that will take up to two hours to conclude. Network failover to DR
does not need to be dynamic and will use scripting wherever possible to manage the changeover.
Note that the WAN design is based on Layer 3 connectivity in all cases. Layer 2 connectivity, including
Pseudowire (draft Martini L2VPN) and VPLS, is NOT supported by this network.
Connectivity to the new data centres is covered in the following sub-sections:
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 19 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
4.1.1 Support access
Support access has two forms:
e Access from RMGA workstations on dedicated RMGA LANs (also known as Red LAN).
e Access from Corporate LAN connected workstations.
Both access requirements will be met using a single C&W VPN. The Support VPN will be extended to
include the IRE11 and IRE19 data centres, along with any new sites introduced for HNG-X, over which
connectivity will be provided using dedicated IPSec encrypted GRE tunnels. Corporate LAN access will
traverse back-to-back firewalls at each end and all addresses between RMGA and Corporate will be NAT
translated.
4.1.2 Test counter access
Test counter access is the only requirement within the scope of this document to follow the branch
access model and does not require handoff routers. A single new C&W VPN will be used for test counter
connectivity.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 20 of 54
FUJ00088557
FUJ00088557
fee) Wide Area Network HLD >
FUJITSU Commercial in Confidence
4.1.3 External Client access
The following diagram describes access for external clients via the C&W network. In all four cases,
RMGA managed CPE routers are installed, and RMGA are responsible for WAN connectivity. Each
client will have its own dedicated C&W VPN that will be presented as a VRF on the IRE11 and IRE19
CE routers. In turn, this will be presented to dedicated handoff routers within the Access LAN via a
dedicated VLAN.
IPSec encrypted GRE tunnels between
nando routers over CBW L3VPIS
(RMG shown — others sila)
~
~ IREI9
‘Access LAN. I
T THtsrearpas TOTS oT
Handoff routers Handot router :
(1 per cient) (1 per clent)
‘Ghent Access LAN,
Triereampus Tire
Cutot-scope
Refer to LAN HLD
Figure 4 Target design - External access via C&W
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref: DES/NET/HLD/0009
Version: VA
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 21 of 54
FUJ00088557
FUJ00088557
fee) Wide Area Network HLD >
FUJITSU Commercial in Confidence
4.1.4 Non-C&W connectivity
The following diagram shows WAN connectivity for those third parties that do not use C&W VPNs for
access. Of these companies, Streamline is the only client for which RMGA is responsible for WAN
connectivity, requiring X.25 and ISDN access. All of the others are out-of-scope for this HLD.
ute scope
access Lan
Uiper cent
eee tet sess LAN
Taare
Outotseope
Reter to LAN HUD
Figure 5 Target design — Non-C&W external clients
4.1.5 Clarification of handoff router LLD design responsibility
The WAN LLD will identify all handoff router requirements in the IRE11/19 data centres and provides a
template configuration to enable deployment to a state where the device can be managed. The WAN
LLD does not include VPN termination and IPSec/GRE tunnel configuration for handoff routers.
The individual component LLDs will arrange deployment of remote handoff routers (along with C&W CE
routers where necessary), and will determine the configuration for VPN termination along with
\PSec/GRE tunnels at each end. The component LLD will also define the creation or extension of the
associated C&W VPN to include IRE11 and IRE19 data centres, and will include management
connectivity to the remote site.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DES/NET/HLD/0009
Version: V44
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 22 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
2
FUJITSU
Commercial in Confidence
4.2 Access classes
There are four access classes:
Model Service
Handoff router RMG, E-pay, Alliance & Leicester, DVLA, RMGA-Horizon, RMGA LAN, CIS,
IMS and Remote access via firewalls
Non-handoff router Branch Access (out-of-scope for WAN HLD), Test rig connectivity
Special Debit card (Streamline) and MoneyGram Intl.
Out-of-scope CAPO, VocaLink, MoneyGram Intl.
Table 2 Access classes
4.3 Data Centre WAN presentation
The data centre WAN presentation utilises a single C&W CE router at each site. The CE router is owned
and managed by C&W. Each CE router has two LAN interfaces, one to each of the two Cisco 6513 WAN
access switches at each site. Each VPN is presented as a VRF on the CE router, and sub-
interfaces/VLANs on both LAN interfaces are present within each VRF. Resilience will be achieved
through triangulation with the CE router at the other data centre via common VLANs between the sites.
For support access and external connections, dedicated Cisco 2811 ‘handoff’ routers will be used.
Individual routers for each service (one per external connection) will be installed at each data centre
(RMGA Red LAN and Corporate access will share the same handoff routers and C&W VPN). Resilience
will be achieved through triangulation with the equivalent service-specific handoff router at the other data
centre via common VLANs. The handoff routers will be used for IPSec/GRE tunnel termination, and
OSPF will be used for client traffic towards the ASA firewalls. In most cases, traffic will be encrypted
within tunnels.
The following diagram shows the data centre physical connectivity for WAN devices within the Access
LAN. Note that a single interface is used on the client VLAN side; this is necessary as the ASA firewalls
operate in an active/failover configuration that requires the same subnet to be presented. It is not
possible to configure the same subnet on two interfaces of the same router.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 23 of 54
FUJ00088557
FUJ00088557
fee) Wide Area Network HLD >
FUJITSU Commercial in Confidence
oS
IRE11 IRE19
Hi
'
1__ctert viawal
t
t
wal
n
T
Access suitchCI
Handeft router
‘per cent)
Hand router
(per lent)
‘ecess itch B
~ [aecess snitch
Figure 6 Data Centre Access LAN physical
The handoff routers require a minimum of two LAN interfaces, using sub-interfaces and VLAN separation
between the CE side VLAN and the ASA side VLAN.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DES/NET/HLD/0009
Version: VA
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 24 of 54
FUJ00088557
FUJ00088557
oO Wide Area Network HLD &
FUJITSU Commercial in Confidence
4.4 Routing
Routing within the WAN is dynamic using BGP. Static routes will be used where necessary to resolve
indirect next-hops. OSPF will be used within the data centre, and (where necessary) for routing across
tunnels to remote sites regardless of whether the remotes sites are internal or external organisations.
The target solution provides common VLANs between IRE11 and IRE19 at the Access LAN layer as
described in the LAN HLD. A single C&W CE router is installed at each data centre and resilience will be
achieved via the intercampus LAN and CE at the other site. Although handoff router to CE connections
at both sites use the same AS number, IBGP is not be used to establish a neighbour relationship
between the sites. All traffic is carried within IPSec encrypted GRE tunnels that terminate on dedicated
handoff routers. OSPF metrics will be used to ensure that traffic is forwarded in a deterministic manner,
with preference via the local CE router.
Out ot scope
Referto LAN HLD
Cent VIAN A2
Intercampus fore
c AY,
‘Mutha eba/ Stale Fete \VRF VLAN Et seicll I
¥.
bap i i bap
Gone clint site Om ae me 2
Figure 7 Generic WAN to data centre connectivity
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DES/NET/HLD/0009
Version: VA
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 25 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
2
FUJITSU
Commercial in Confidence
Note that for the example above, multi-hop EBGP should be configured between loopback interfaces on
the CE and handoff routers, as this allows for the peering to use both local Cisco 6513 switches. If the
peering is provided between physical interfaces, loss of the configured interface could lead to an
unacceptable requirement for DR invocation. The static route required for multi-hop EBGP should be
configured between the local CE and handoff routers only, as shown in the previous diagram.
Metrics will be used to steer traffic towards the appropriate site; IRE11 for live traffic and IRE19 for test.
OSPF metrics will be used to steer egress traffic and the BGP attribute, AS-Path pre-pend, is proposed
between the CE and handoff router to steer ingress traffic. There is no distinction between active and DR
for the BGP peering in this design.
4.4.1 I WAN access methods
WAN access across the C&W VPNs can be divided into two distinct methods:
e Support and external access — where traffic is encapsulated within an IPSec or GRE tunnel
terminating on dedicated handoff routers within the data centres or on the RMGA managed CPE
routers at regional or client sites. This approach will be used for all support access, third party
access and inter-DC connectivity.
e Branch access — where native IP traffic enters the Access LAN at the CE router. The C&W CE
router will redistribute into OSPF within the VRF serving this traffic. The traffic will be encrypted
using SSL. Although this access method is outside of the scope of this document, this approach
will be used for test counter access and will be covered here at a high-level.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 26 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
4.5 Internet Access
Connectivity to the Internet is required for the Broadband Web Server. The BWS supports three
services: Broadband Checker (the Post Office is to resell consumer broadband through their branches),
Postcode Anywhere and Neopost/Kahala. Internet access is also required for software updates, anti-virus
updates and for Post Office access to the web server.
Initial Internet access is provided using a single ADSL line at each data centre presented on a Cisco
1801 router at each site. The Cisco 1801 router provides a basic firewall with a second tier of firewalls
provided using dedicated Cisco ASA firewalls. This initial solution is non-resilient in operation but
provides a Horizon equivalent service.
Within the data centres, all interactive Internet access sessions traverse a Webwasher proxy server.
4.6 C&W CE router consolidation
At BRAO1 and LEW02 sites, multiple C&W CE routers were deployed each serving one or more VPNs. It
was planned to consolidate the VPNs on to two larger routers providing greater aggregate WAN access
bandwidth. In the event, larger routers were installed and the access capacity upgraded to 100Mb/s per
router for the support VPN (fujser_fujnwb_test), but no consolidation has taken place; the remaining CE
routers will be retained until their associated rig is decommissioned in BRAO1.
C&W CE name (VPN_name/s) oe Circuit number I Biwdth Location
He11-r73-001 (fujser_fujnwb_test) 7301 ISFE2909855 100Mb/s I LG33 Live A rack
He11-r73-002 (fujser_fujnwb_test) 7301 ISFE2910105 100Mb/s I LG33 Live B rack
U064-r28-001 (fujser_fujnwb1 & I 2620 1SA53223 2Mb/s LAB3 lower
fujser_fujnwb_bracknell1) ground - FRIACO
U064-r26-002 = (fujser_fujnwb1 & I 2620 1SA53743 2Mb/s 6" floor rack 10 -
fujser_fujnwb_bracknell2) LST
064-122-001 (fujser_relrig & I 2610 1SA2533720 2Mb/s LG33 - Release
fujser_fujnwb1) rig
U064-r22-002 (fujser_brac_btc) 2610 1SA2533724 2Mb/s LG33 - BTC rig
U064-r22-003 (fujser_rel_rig & I 2621 1SA2533725 2Mb/s LG33 — Backup
fujser_fujnwb1) release rig
U064-r22-004 (fujser_brac-btc) 2621 1SA2533726 2Mb/s LG33 — Backup
BTC rig
Gr33-r16-001 (fujser_Ist_btir) 1721 1$J2611923 64kb/s 6" floor - LST
bootloader
Table 3 C&W BRA01 consolidation
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 27 of 54
FUJ00088557
FUJ00088557
oO Wide Area Network HLD &
FUJITSU Commercial in Confidence
4.7 Support networks
4.7.1 Support connectivity
There are two access classes for support staff:
« RMGA LAN model (i.e. RMGA dedicated ‘Red’ LAN)
« Corporate model (includes Corporate LAN users, remote access via the Corporate LAN and all
other non-RMGA LAN internal networks)
In both cases, access to platforms should be via the SAS servers in IRE11 and IRE19. The SAS servers
will authenticate users and log activity. There will however, remain cases where certain support staff will
require direct access to platforms.
4.7.1.1 RMGA ‘Red LAN’ access
Regional site access: For access via the RMGA LAN model, support staff will have workstations on a
dedicated Post Office LAN known locally as the ‘Red’ LAN. This will have direct access via the VPN
extended to IRE11 and IRE19. Note that all traffic using the RMGA VPN will be carried within IPsec
encrypted GRE tunnels. Encryption will be AES256. Tunnels will terminate on RMGA managed handoff
routers at the data centres and regional sites. A full mesh of tunnels is not necessary, however sufficient
tunnels to provide resilience and to allow inter-site connectivity will be provided.
IREI1 IRE19
\ f
‘STEO4
BRAO1
LEwo2
Figure 10 RMGA LAN VPN access
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DESINET/HLD/0009
Version. V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 28 of 54
FUJ00088557
FUJ00088557
oO Wide Area Network HLD &
FUJITSU Commercial in Confidence
4.7.1.2 Corporate LAN access
WAN connectivity for Corporate LAN access is provided over the same ‘Support VPN’ used for Red LAN
access. Interconnection with the corporate network is provided via RMGA-owned/Corporate-managed
Checkpoint firewalls at large sites (Bracknell Stevenage and Lewes). Smaller sites will use the corporate
WAN to IRE11/19 with Checkpoint firewalls at these sites.
Using the Support VPN for WAN access between BRAO1 and IRE11/19 overcomes issues with WAN
capacity and performance issues for software distribution from Bracknell.
i
2
h,
7
pale
BRAD
Corporate LAN
Nv areiodion
vOaLS
oes
LEwo2
Corporate LAN
IRE ks (==) IRE19 2
Ty I RGA ~ Corporate
NAT Point
ipport Aces DI
Z__ Transit Transit
RMGA - Corporate by van
tcl
NAT Point
Access
FW
RED LAN IPSEC Tunnel
—
Transit VLAN
IRET1 Corporate IRE19 Corporate
LAN LAN
Figure 7 Corporate LAN access
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DES/NET/HLD/0009
Version: V44
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 29 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
Fe)
FUJITSU
Commercial in Confidence
4.7.2 Bracknell BRAO1
4.7.2.1 SSC
All SSC workstations reside on the RMGA LAN and use hardware encryption. Continued use of the
RMGA LAN is required along with provision to access platforms directly as well as via the SAS (SSN)
servers.
For out-of-hours access, remote workstation access via Corporate LAN VPN access with a fixed IP
address allows routing to the RMGA firewall where RADIUS authentication provides access to the SAS
(SSN) servers only. Direct access to platforms not permitted via this method.
4.7.2.2 MIS (Service Delivery team)
MIS at Bracknell have workstations on the corporate LAN that will require access to IRE11 and IRE19.
Remote VPN access is also required.
In addition, there are dedicated NT clients for Data warehouse/TES/DRS and Tivoli that reside on the
RMGA LAN that will require connectivity.
4.7.2.3 RDT
RDMC workstations in BRAO1 are connected to the RMGA LAN and require access to the live platforms
in IRE11/19 along with continued connectivity to other RDT platforms at other sites (LEW02, STE04/09,
WGNO1 and BTLO1)
4.7.2.4 DR facilities
BRA01 is also used to provide a DR site for SMC, OBC (CREO2, but may move to WAR13) and soon to
include HSD DR.
4.7.3. Stevenage STE04
The SMC currently have 3 workstations, connected to the Corporate LAN that can access the rigs in IRE
11 and IRE19. These are standard builds with fixed IP addresses with firewall access to the test rigs. The
workstations access via the SAS (SSN) servers for all services. The number of devices is expected to
increase closer to go-live.
4.7.3.1 Reference Data Teams
RDMC workstations in STEO9 are currently connected to the RDT LAN and require access to the live
platforms in IRE11/19 along with continued connectivity to other RDT platforms at other sites (BRAO1,
LEW02, WGN01 and BTLO1).
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; = V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 30 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
Fe)
FUJITSU
Commercial in Confidence
4.7.4 Crewe CRE02
There are two teams within Crewe that are involved with the RMG account. The IDS team is still being
developed and their requirements are unknown at the time of writing, but are expected to comprise a
small number of workstations on the RMGA LAN. The OBC team currently have four of five staff with
two workstations each; an OCMS workstation on the RMGA LAN and a corporate desktop on the
corporate LAN.
4.7.5 Wigan WGNO1
MSS requirements at Wigan are similar to the Stevenage SMC requirements. There are currently three
workstations on the Corporate LAN with fixed IP addresses accessing services via the SAS (SSN)
servers. Access for these devices will be via the Checkpoint firewalls in IRE11/19.
4.7.6 Belfast IRE11/IRE19
The local support team in IRE11 have workstations on the corporate LAN that require access via the
SAS (SSN) servers to individual platforms. Local access is provided via a CIS/RMGA firewall within
IRE11 and IRE19.
Out-of-hours access is required via the corporate VPN. The KMA key management platform is not
available via remote access for security reasons.
4.7.7. Lewes LEW02
RDMC workstations for RDT in LEW02 are connected to the RDT LAN and require access to the live
platforms in IRE11/19 along with continued connectivity to other RDT platforms at other sites
4.7.8 Warrington WAR13
New site for Network Support and Firewall Support teams moving from WGNO1 and BTLO1.
4.7.9 Solihull SOL10
4.7.9.1 NOSS
NOSS users follow the corporate model with access via the Corporate firewalls in IRE11/19, terminating
on the SAS (SSN) platforms for authentication. There are no RMGA dedicated workstations within this
building.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 31 of 54
FUJ00088557
FUJ00088557
fee) Wide Area Network HLD >
FUJITSU Commercial in Confidence
4.7.10 Out-of-hours access
Support access is provided through continued use of the corporate Internet VPN access from the
corporate network, via the Checkpoint firewalls in IRE11/19 and terminating on the SAS (SSN) platforms
for authentication.
4.8 Test counter access
Test rigs for HNG-X are available within IRE19 (unless DR is invoked). Test counter access follows the
live access approach using Utimaco VPN encryption across the WAN. The WAN for test rig connectivity
is the same as that for the branch access network that is outside of the scope of this document; further
detail is provided in the Branch Access Network HLD (DES/NET/HLD/0014).
Test counter traffic is steered towards the IRE19 CE router through use of BGP attributes; this is
achieved through extending the AS-Path attribute on the VPN Crypt router to CE BGP peering in IRE11
(AS-path pre-pending).
4.8.1 Test rig connectivity
Up to five test rigs have been built in IRE19; LST, ST, SV&l, RV Mig and RV Acc. Of these, only the
LST rig will remain post-live. Unlike Horizon test counter access, where dedicated C&W VPNs have
been deployed per rig, a single VPN will be used for all HNG-X test counter access between
SDC01/TCY02 and IRE11/19 (fujser_hngx_test).
A further Volume and Integration (V&l) rig was built on the live network at both IRE11 and IRE19.
Essentially, this is a pre-live proving and integrity testing of the live platforms. Connectivity will be as for
live services and the requirement will cease when IRE11 goes live. A dedicated V&l VLAN will be
required in BRAO1 for the duration of V&l testing; this LAN will be ceased when HNG-X goes live.
4.8.2 Lewes LEW02 test rig networks
Lewes acts as a backup site to BRAO1 for testing. There is a single LST test rig with access to the HNG-
X Test VPN (fujser_hngx_test).
4.8.3. RDT rig in BRAO1 and LEW02
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref: DES/NET/HLD/0009
Version: VA
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 32 of 54
FUJ00088557
FUJ00088557
oO Wide Area Network HLD &
FUJITSU Commercial in Confidence
‘©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref: DES/NET/HLD/0009
Version: V4iA4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 33 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
he)
FUJITSU Commercial in Confidence
4.9 External connections
For external (third party) connections, RMGA is responsible for the WAN connections (along with CPE
routers) for Post Office Ltd (POL), DVLA, E-Pay and Alliance & Leicester. For all other external
connections, individual agreement with the third parties will need to be sought to enable them to provide
suitable WAN connections, and is out-of-scope for this document.
4.9.1. Managed CPE refresh
For those clients where RMGA is responsible for managed CPEs, the opportunity to refresh and
standardise the managed CPE routers at external client sites was undertaken as part of the HNG-X
project. The new managed CPE routers are Cisco 2811.
The connectivity for each client is subject to contractual requirements with the individual clients and is
documented in a Technical Interface Specification document. However, each is based on a generic
approach using IPSec or GRE tunnels across a dedicated C&W VPN. At the IRE11 and IRE19 data
centres, a single handoff router is used with resilience provided via the handoff router in the other data
centre, accessible via the intercampus LAN.
4.9.2 External client tunnel termination
Termination of the GRE and IPSec tunnels will take place on dedicated handoff routers within IRE11 and
IRE19 data centres. At the remote sites, the tunnels will terminate on the managed CPE routers. Using
dedicated handoff routers for each client offloads the tunnel and encryption overhead from the WAN
access router (MSFC) and helps to reduce the likelihood of routing configuration errors that could lead to
advertisement of routes between clients.
The following diagrams show the routing between the data centres and the client site via a C&W VPN,
and tunnel connectivity with OSPF redistribution at the data centres. Note that there is no requirement
for OSPF across the tunnels.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 34 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fe)
FUJITSU Commercial in Confidence
rent nero
3 : 3
af cere ates a
Chent WAN
T Taconpus tere 7
OSPF AREAY ,
a se Hance eater
eH Feces VIANA ma
tin ep sabre seoes VANE sawciat II N tastes eo
Triecanpus ere T
OS Etna “O
Figure 14 External client handoff - BGP routing
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DES/NET/HLD/0009
Version: V4iA4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 35 of 54
fee)
FUJITSU
Wide Area Network HLD
Commercial in Confidence
FUJ00088557
FUJ00088557
4.10 Summary of VPN requirements
The following table summarises the
individual VPNs:
C&W VPNs and identifies
which
CE routers require access to
Site IR
VPN Mt
IR
19
B
R
AO
1
s
T
Eo
4
c
R
Eo
2
8én
spc
ov
TcYo
1
w
G
NO
Exter
nal
sites
Live branch traffic (ut-of-
scope) x
(fujser_fujnwb1)
xX
xX
Support RMGA LAN
(fujser_fujnwb_test)
(includes MIS / RDT / x
Security LAN
requirements)
Post Office Ltd
(fujser_fujnwb_aux1)
DVLA (fujser_fujnwb_dvla)
‘A&L (fujser_fujnwb_aux1)
>< I ><) ><} ><
EPay
(fujser_fujnwb_aux2)
><) ><) ><) ><
><) >K) ><) OK
><) ><) ><) ><
><I ><) ><! ><
HNG-X Test VPN (all xX
HNG-X test rigs)
Testi
(fujser_fujnwb1_test)
VPN test rig
(fujser_fujnwb_bracknell1)
Horizon LST rig
(fujser_fujnwb_bracknell2)
Horizon REL rig
(fujser_rel_trig)
Horizon BTC rig
(fujser_brac_btc)
~~) KX
Live Boot
(VPN instantiated by x
Branch Router HLD)
*<
LST Boot
(VPN instantiated by
<
>) >< I OK] OK) OK) OK) OX
Xx
x
©Copyright Fujitsu Services Ltd(2009)
UNCONTROLLED IF PRINTED
‘Commercial in Confidence
Ref:
Version
Date:
Page No:
DES/NET/HLD/0009
Vit
16/11/09
36 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fe)
FUJITSU Commercial in Confidence
Branch Router HLD)
BTC Boot
(VPN instantiated by 4 x x x x
Branch Router HLD)
Table 5 Summary of C&W VPN requirements
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DES/NET/HLD/0009
Version: V4iA4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 37 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
5 Migration
5.1. Inter-DC connectivity
The inter-data centre connectivity is a temporary solution until cessation of the Wigan and Bootle data
centres, and will make use of IPSec encrypted GRE tunnels to dedicated handoff routers at all four sites.
The solution provides for up to 100Mb/s throughput between data centre campuses with up to six level of
Qos
5.2 Support connectivity
Unchanged from the support access model described previously.
5.2.1 Out-of-hours support access
Unchanged from the support access model described previously.
5.3 Test rig access
Unchanged from the test counter access model described previously.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 38 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
5.4 External connections
Migration of external clients will require the existing C&W VPNs to be extended to include the IRE11 and
IRE19 PEs where C&W will present as VRFs on their CE routers. Connectivity will be extended to the
dedicated handoff routers within IRE11 and IRE19 using EBGP. New tunnels can then be created
between the handoff routers in IRE11/19 and the managed CPE routers at the client site. Whether the
tunnels terminate on the new or existing CPE routers is independent of this design. By extending the
original tunnel mesh to include IRE11 and IRE19, the infrastructure will be in place to accommodate
various migration scenarios from full four-centre operation to cease and re-provide.
The number of additional tunnels should be kept to a minimum sufficient provide resilience. For an
external client site with dual CPE routers, a single additional tunnel to one of the IRE11 or IRE19 handoff
routers from each CPE is sufficient. Dual connecting the CPEs to both handoff routers is unnecessary. If
the external client site has a single handoff router (e.g. Sungard site for Post Office Ltd.) then a tunnel to
each of the IRE11 and IRE19 handoff routers should be provided. See diagram below. In all cases, the
tunnels depicted are in addition to the existing tunnels to the Wigan and Bootle data centres.
IRE IRE19 IRE11 IRE19 IRE IREI9
Handotrouters Handeft outers ' Hand routers
\ ! I\ ‘\
Vga
Von
<r
\/
eo- & &-
Dual CPE site Single CPE site Dual CPE site
J J x
Figure 16 External client tunnel topology
Where a client site has common VLANs between their sites, a variant of the Dual CPE approach can be
adapted to represent both client sites, saving in CPE routers and tunnel complexity.
The pre-existing tunnels to Wigan and Bootle can be cessation of Horizon activities in Wigan and Bootle,
in addition to the decommissioning of the C&W VPN at these sites.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref: DES/NET/HLD/0009
Version: Vid
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 39 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
5.4.1 Post Office Limited
The Post Office connectivity is used to support a multi application environment. Applications supported
are TIP, POLFS, EDG, TES, Track and Trace and APOP. Access to POL applications is via the RMG
Northern Data Centre at Huthwaite, Nottinghamshire, with a DR site at Sungard London Technology
Centre in Hounslow (supporting TIP, POLFS and EDG only). The network to both sites is considered
active/active at all times.
Post Office connectivity currently uses a mesh of GRE tunnels across a C&W IP Select VPN. VPN name
is fujser_fujnwb_aux1 and provides a 2Mb/s constrained service.
Traffic is encrypted within the tunnels and OSPF is used for routing across the tunnel mesh. The two
Post Office sites of Huthwaite and Sungard each use OSPF area 1 to access the Wigan data centre, and
area 2 to access Bootle data centre.
The mesh of IPSec tunnels will be extended to include the new dedicated Post Office handoff routers at
IRE11 and IRE19. As per the original design, OSPF will be used as an IGP across the tunnel mesh. The
relationship of OSPF area to data centre will be determined by the LLD designer under agreement from
the client.
5.4.2 DVLA
Current connectivity for DVLA follows a similar solution to that for the Post Office, with a mesh of GRE
tunnels deployed across a L3VPN from C&W. The VPN name is fujser_fujnwb_dvia and is bandwidth
constrained to 960kb/s to each site. Routing comprises non-contiguous OSPF areas, with Area 1 serving
Swansea/Morriston to Wigan, Area 2 serving Swansea/Morriston to Bootle and Area 3 connecting
Swansea with Morriston directly.
Note that DVLA traffic is not encrypted within the tunnels.
The proposed solution for DVLA follows the same practice as that for the Post Office, albeit with
unencrypted GRE tunnels.
5.4.3 Alliance and Leicester
Connectivity for Alliance and Leicester follows similar practice as for Post Office and DVLA, using a
mesh of encrypted tunnels and similar OSPF configuration.
[DN: awaiting detail of existing A&L connectivity]
5.4.4 E-pay
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 40 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
5.4.5 Streamline (Debit Card)
The Debit Card service provided by Streamline currently terminates on Cisco 2651 routers within Wigan
and Bootle. WAN connectivity is provided over X.25 for debit card transaction traffic and over ISDN for
file transfers.
The solution for HNG-X is to re-provide this service within IRE11/19. A dedicated handoff router will be
installed in each of IRE11 and IRE19 with a common VLAN between them. The handoff routers will each
require an ISDN and serial interface. The router will be required to perform X.25 protocol translation. The
X.25 service is currently provided by TNSI International.
5.4.6 CAPO (EDS), LiNK and Moneygram
These companies own and manage their CPE equipment along with any WAN links. Design for
connectivity to these companies is outside of the scope of this HLD and will be covered by individual
transit LAN LLDs.
5.5 Retirement of Zergo hardware encryption devices
Wigan and Bootle inter-DC communications for Horizon make use of obsolete Zergo encryption devices.
These will be replaced by IPSec tunnels between handoff routers across a C&W VPN.
Requirements are undetermined at the time of writing.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 41 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
Fe)
FUJITSU
Commercial in Confidence
6 Design constraints
6.1 Device naming
Device names will conform to the standard defined in DES/PPS/HLD/0006.
6.2 Traffic engineering
The network design provides for fully resilient connectivity to both data centres. Although C&W
connectivity to each of the IRE11 and IRE19 data centres is limited to a single CE router, triangulation is
provided via the fibre inter-campus LAN.
Single points of failure are limited to instances where switched media is used for access (e.g. Streamline
access).
6.3 Resilience
The WAN, both target and interim is designed to have no single points of failure. Network connectivity to
IRE11 and IRE19 will operate in an active/active state (although the applications and services provided
by the data centres may operate as active/DR).
Although each of the new data centres in Northern Ireland has a single C&W CE router, resilience
through triangulation is provided by intercampus VLANs over DWDM fibre. Handoff routers for third
party connections will be similarly provided as single routers triangulated between sites. The intercampus
WAN links and provision of VLANs is documented within the LAN HLD.
Network devices are deployed in pairs for resilience (with the exceptions previously mentioned), and will
be mounted within separate racks and have separate power feeds from an uninterruptible power supply.
Devices interfacing with equipment that cannot operate dynamic routing protocols will use VRRP to
provide a resilient gateway.
6.4 Network cabling
Cabling external to the data centres will be spatially separated by at least ten metres. Within the data
centres, cabling will use separate patch frames and/or devices within separate racks.
Network cabling will confirm to the following standards:
e Copper — UTP Category 5e ANSI/EIA/TIA 568B (max. 100m0
e Fibre — multimode 850nm/62.5micron (max. 220m)
6.5 Network Protocols
The network protocol is IPv4 (RFC791) and all application traffic is unicast UDP (RFC768) or TCP.
(RFC793). The network is optimised for TCP.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 42 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
he)
FUJITSU Commercial in Confidence
MPLS VPNs will be L3VPNs to RFC2547bis.
X.25 will be used for connectivity to Streamline.
6.6 IP addressing
IP addressing is taken from RFC1918 private address space only.
6.7 Routing protocols
The following routing protocols will be used. In all cases, MTU sizes will be optimised to avoid packet
fragmentation.
6.7.1. BGP
BGP-4 is the preferred routing protocol within the WAN domain. The use of BGP is inherent for
RFC2547bis VPNs, and is mandated for all PE to CE links on the C&W network. EBGP will be used for
routing between the C&W CE routers and the RMGA managed handoff routers at all sites. Redistribution
between BGP and OSPF is not envisaged (the exception being between mBGP and OSPF within the
branch access VRF for HNG-X. This will be configured by C&W and will be for SSL terminated traffic
only).
6.7.2 OSPF
OSPF is the IGP routing protocol of choice for use on the data centre LANs as defined in the LAN HLD.
6.7.3 VRRP
VRRP will be used for gateway resolution for instances where a routing protocol is unavailable or
undesirable. HSRP will be used only if VRRP cannot be used. It is not envisaged that VRRP will be used
within the WAN, but likely to be used within the Transit LAN designs.
6.7.4 Static routes
Static routes may be required where EBGP peers are not directly connected in order to resolve next-hop
(multi-hop EBGP), or in place of an IGP for next-hop resolution for IBGP neighbours.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 43 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
he)
FUJITSU Commercial in Confidence
6.8 Bandwidth requirements
The following bandwidth requirements have been taken directly from the Network Architecture document
pending availability of revised data.
# Description ‘A’ End ‘B' End Speed Comment
L1 Intercampus -—- I DC1 DCc2 n G_ bits I nis1,20r4
SAN Fibre
Channel
L2 I Intercampus — I DC1 DC2 n G_ bit/s I Needs to be diverse and separate
SAN Fibre from L1
Channel
L3 I Intercampus —-I DC1 Dc2 1 G bit/s IP
Network
L4 I Intercampus —- I DC1 DC2 1 G bit/s IP Needs to be diverse and separate
Network from L3
L5 I 3% line support I DC1/DC2 I BRAO1 4 M_ bits/s, I Diversity and Separate routing
(SSC) resilient required to provide high resilience
L6 I 2™ Line Support I DC1/DC2 I STEO9 2 M_ bits/s I Diversity and Separate routing
resilient required to provide high resilience
L7 I OBC DC1/DC2 I CREO2 2 M__ bit/s I Diversity and Separate routing
resilient required to provide high resilience
L8 I Ops DC1/DC2 I IRE11 2 M__ bit/s I Diversity and Separate routing
resilient required to provide high resilience
L9 ]DR - 3% line I DC1/DC2 I LEWo2 2 M__ bit/s I Diversity and Separate routing
(SSC) resilient required providing high resilience. Not
normally used.
L10 I DR- Ops DC1/DC2 I IRE19 2 M_ bit/s I Diversity and Separate routing
resilient required providing high resilience. Not
normally used.
L11 I 3° line (MSS) DC1/DC2 I 77? 2 M_ bit/s I Diversity and Separate routing
resilient required to provide high resilience
L12 I Branch Traffic Tele city/ I DC1/DC2 I 70 M_ bit/s I Diversity and Separate routing
spc01 resilient required to provide high resilience
L13 I IP Select via IP I Tele city/ I DC1/DC2I} 10 M_ bit/s I Diversity and Separate routing
gateway spc01 resilient required to provide high resilience
Table 7 Bandwidth requirements
[# [Description [‘A’'End [‘B’End I Speed [Comment ]
‘©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref. DESINET/HLD/0009
Version; V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 44 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
Fe)
FUJITSU
Commercial in Confidence
T3 I Test Access I DC1/DC2 I BRAO1 45Mbit/s with I Connectivity provided over IPSec/GRE
8Mbit/s backup. I tunnels over support VPN. Access
circuits upgraded to 100Mb/s. CAR used
to rate limit to 45Mb/s for test.
T4 I Test Access I DC1/DC2 I LEW02 2Mbit/s no I No resilience required.
-DR resilience
Migration DC1/DC2 I WGNO1/ I 90Mb/s with I Connectivity provided over IPSec/GRE
connectivity BTLO2 resilience tunnels over support VPN. QoS using
CBWFQ and six queues to prioritise
flows.
Table 8 Four centre operation - test link bandwidth requirements
6.9 Cable and Wireless VPN constraints
The IP Connect Direct service is productised by C&W that results in supported limitations for their
service. These limitations are based on their internal testing, representing the service they are prepared
to support, and are not technological constraints:
Tail circuit bandwidth (PE to CE) Maximum supported VPNs
Up to 100Mb/s 4
100Mb/s 18
155Mb/s 30
Table 10 C&W VPN constraints
6.9.1 C&W IP Connect Direct QoS
C&W can provide bandwidth guarantees between VPNs such that one VPN cannot impact another,
however this could also prevent a VPN bursting into unused bandwidth.
Additionally, C&W can provide a QoS capability within a VPN providing Gold, Silver and Bronze service
classes within a VPN (known as their Olympic model). Note however, that support for QoS within a VPN
is only available for where a maximum of 4 VPNs are configured on a CE, irrespective of the tail circuit
bandwidth.
C&W plan to support Advanced Application QoS (AAQ), where DSCP bits are mapped to AF and EF
forwarding classes. This service will only be available to new deployments and is therefore not suitable
for the RMGA network.
There is no QoS applied to the current (Horizon) C&W VPN network.
6.10 Device deployment
6.10.1 Network Management
Devices are configured to support SSHv2 and SNMPv3.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 45 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
he)
FUJITSU Commercial in Confidence
Device configurations are automatically recovered and stored by Cisco Works.
Devices are configured to log SYSLOG to the Cisco Works server. The Cisco Works server should
forward SYSLOG to the RSA EnVision logging server, with incidents raised in accordance with the
Incident Management Process (SVM/SDM/PRO/0018).
Device interfaces are monitored for availability by HP Network Node Manager. Failures are reported to
the Tivoli enterprise manager.
The following protocols / toolsets are used for device management:
Device Toolset
Router SSHv2, SNMPv3, CiscoWorks
Table 11 Device Management Toolsets
The C&W network, including layer 3 VPNs and associated CE to PE links is out-of-scope for RMGA
network management.
6.10.2 Routers
All routers acting as CE routers will support multiple VRFs. VLAN separation (802.1q trunking) is
sufficient to ensure data separation on Ethernet interfaces.
Handoff routers, deployed within the Access LAN environment at IRE11 and IRE19, are dedicated to
individual third parties or support access, and are not required to support VRFs.
6.10.3 Switches (core sites and BRA01 interlink)
VLAN separation (802.1q trunking) is sufficient to ensure data separation.
6.10.4 Network Time Source
All WAN routers within the scope of this document will derive their timing for NTP from the data centre
access LAN devices (6513 switches).
6.11 Hardware requirements
[DN: The following is taken from the Bill of Materials that pre-dates this design and may require
amendment.]
The following hardware is required to fulfil both the target and interim designs covered by this HLD:
Platform ;, Perdata I Total
Role Component Per chassis centre Required
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Refi DES/NET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 46 of 54
fee)
FUJITSU
Wide Area Network HLD
Commercial in Confidence
FUJ00088557
FUJ00088557
Client Access
A&L Bootle remote C2811 4 1 2
A&L Leicester remote C2811 1 1 2
A&L local C2811 1 2 4
CAPO local C2811 1 2 4
DCS (Streamline) local C2811 1 2 4
DVLA local C2811 1 2 4
DVLA remote C2811 4 1 2
VocaLink local C2811 1 2 4
Moneygram local C2811 1 0 0
RMGA Huthwaite local C2811 1 2 4
RMGA Huthwaite remote C2811 1 2 4
RMGA Sungard remote C2811 1 1 2
STE04 local C2811 4 2 4
STE04 remote C2811 1 1 2
Support Access
BRAO1 Support remote C2811 1 1 2
Warrington remote C2811 1 1 2
CREO2 remote C2811 1 1 2
IRE11 remote C2811 1 1 2
IRE19 remote C2811 4 1 2
LEW02 remote C2811 1 1 2
Table 12 WAN hardware requirements
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref: DESINET/HLD/0009
Version: Vid
Date: 16/11/09
UNCONTROLLED IF PRINTED PageNo: 47 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
7 Non-functional requirements
7.1 Security
From Requirements traceability section of Technical Network Architecture document
(ARC/NET/ARC/0001):
ID I Requirements
SEC-3100 I Third Party access requirements shall not apply to access by Fujitsu Post Office
Account Support Staff that access the system from the operational support centres, or
via a network with remote access secured using encryption and 2 factor authentication.
SEC-3167 I {CISP 8.5.1g} Data over Wide Area Networks shall be encrypted unless specifically
agreed in the relevant Technical Interface Specification or where otherwise specifically
agreed by Post Office Limited Information Security. The Fibre Optic link between Data
Centres is not considered to be a Wide Area Network. The requirement applies to
transaction data between branches and the data centre(s).
SEC-3168 I WAN Encryption key management shall be independent of network configuration such
that the confidentiality of Post Office traffic is not compromised by a single configuration
error of either the WAN or the encryption system.
Table 13 Security requirements
IPSec requirements taken from Technical Network Architecture document (ARC/NET/ARC/0001):
Summary Description
Encryption Traffic classes will be encrypted over the Wide Area network if specified
by the relevant TIS or HNG-X Security Architecture. The IPSEC tunnel
will terminate on devices within the HNG-X service boundary. For
example this is the case with A&L where HNG-X Router are at A&L Data
Centres.
The encryption algorithm will be AES 256.
Authentication Based on Certificates (except for branch Router)
Branch Router will use PSK.
The rationale for this is resuse of the Branch Router CHAP solution for
key management. The IPSEC keys will be 15 characters in length from
alphabet {A-Z, a-z, 0-9}. Entropy with be as for CHAP - Crypto quality.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 48 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
Protection against single I IPSEC devices are deployed in the following topology.
configuration error IPSEC Router -> Downstream Router - > WAN
The downstream Router will apply an ACL to ensure that the traffic from
the IPSEC router is IPSEC traffic only.
Also the IPSEC Routers will be configured not to be able to negotiate an
NULL encrypted stream.
Therefore a single configuration error will not compromise WAN
encryption.
Table 14 IPSec security requirements
Remote access and Network Management requirements taken from Technical Security Architecture
document (ARC/SEC/ARC/0003):
7.1.1.1 Remote Access
Remote access to the HNG-X network will be provisioned using IPSEC VPN technology, support build
laptops and two factor authentication.
Access for remote users will utilise the corporate VPN system and the FSBN. This will require support
users to have a two factor authentication token for the corporate VPN and one for the HNG-X network.
Remote support access to the Counter will be provided through the implementation of an SSH service
running on the Counter which can then be accessed from the Secure Access Servers, (SAS), in the Data
Centre. The SSH server on the Counter is configured with the SAS Server SSH public keys so that
connections to the Counter are restricted to only those originating from the SAS servers. This will allow
access to a command prompt on the Counter for the retrieval of logs and other data using secure copy,
(SCP).
SSH access to the HNG-X servers will also be provided. This will be configured as for the Counter SSH
access.
All support user access will be audited at a command line level to ensure an audit trail of administrator
activity is available. This auditing will take place at the SSH server, not at the client. SSH will be
configured to use a single shell, (sudosh), and to prevent the spawning of additional, non-logging, shell
processes.
Firewall rules will be configured to ensure that the SSH and SCP traffic can only be initiated from the
SAS servers.
Access control for the SAS servers is provided by the Identity and Access Management service.
7.1.1.2 I Management Network Access
A method of obtaining system patches and anti-virus signatures is required for HNG-X as well as a
means of providing management support access. It is anticipated that this will be through the provision of
a link to the RMG network.
This link will allow management access to the IDS/IPS and Network Intelligence appliances from Crewe
and Bracknell. It will also allow anti-virus signatures and system patches to be obtained, via a proxied
route, from the Internet.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 49 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
This connection will provide access through the implementation of a DMZ network containing the relevant
proxy and access contro! systems. It is anticipated that console access will be provisioned through the
implementation of a Windows Terminal Server system.
7.2. Availability and QoS
7.2.1 C&W IP Connect class of service
The C&W IP Connect service in operation for the RMG account is described as their Bronze service with
the following service level characteristics:
© QoS: Default
e Average Round-Trip Delay: 30ms
e Average Packet Delivery: 99.80%
© — Jitter: N/A
7.3 Service Level Agreements
The only service covered by this HLD that has a defined SLA is for Alliance and Leicester where the
Service Level Target is 99.95%
Services to RMG data centres at Huthwaite and Sungard, along with services from DVLA are subject to
independent calculations agreed with the Post Office for each event.
Network Banking allows for a maximum of one outage in excess of two minutes per bank per month, and
a maximum of outages to two banks in any one month.
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 50 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
2
FUJITSU
Commercial in Confidence
A Sites
This section identifies locations used in this design
A.1 Data centres
Two new data centres will be introduced for HNG-X, both of which are in Northern Ireland. The existing
data centres in Wigan and Bootle are not included as no changes are envisaged to the current design.
IRE11 — Trident House, 301 Airport Road West, Belfast, BT3 9AE
IRE19 — Unit 4B Bridgeview, Glenville Industrial Estate, Glenville Road, Whiteabbey, County Antrim,
BT37 OTU
A.2 Core sites
These sites represent the aggregation point between the access networks and the core network for
branch access.
SDCO01 - Units 2-5 Weston Avenue, Grays, Essex, RM20 3WZ
TCY02 - Telecity, 8/9 Harbour Exchange, Isle of Dogs, London, E14 9GE
A.3 Support sites
These are Fujitsu Services sites from which access is required to support operational teams and testing
of the HNG-X solution:
BRA01 — Lovelace Road, Bracknell, Berkshire, RG12 8SN
LEW02 - Sackville House, Brooks Close, Lewes, East Sussex, BN7 2FZ
STE04 - 14 Cavendish Road, Stevenage, Hertfordshire, SG1 2DY
CREO2 -— Infinity House, Mallard Way, off Electra Way, Crewe Bus. Park, Crewe, Cheshire, CW1 6ZQ
WGN01 - c/o Alliance and Leicester, Quayside Centre, Westward Park, Wigan, WN3 5GB
WAR‘13 - Trafalgar House, Temple Court, Risley, Warrington, WA3 6GD
IRE11 - Trident House, 301 Airport Road West, Belfast, BT3 9AE
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 51 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
fee)
FUJITSU Commercial in Confidence
A.4 External client sites
This section lists only those sites where RMGA has managed CPE equipment deployed at the external
location, or where RMGA provide the WAN connectivity (E-pay)
- Post Office (RMG)
Huthwaite: The County Estate, Nunn Brook Rise, Sutton-in-Ashfield, Nottinghamshire, NG17 1TD.
Sungard: POL Huthwaite DR site, Green Lane, Hounslow, Middlesex, TW4 6ER
- DVLA
Swansea Vale: ROSB Building, Sandringham Park, Liansamlet, Swansea, West Glamorgan, SA6 8QL
Morriston: C Block, Longview Road, Clase, Swansea, West Glamorgan, SA6 7JL
- Alliance and Leicester
Carlton Park, Narborough, Leicester, LE19 OAL
Bridle Road, Bootle, L30 4GB
- E-pay
Kelting House, Southernhay, Basildon, Essex, SS14 1EL
12 Hornsby Square, Southfields industrial Park, Laindon, Basildon, Essex, SS15 6SD
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 52 of 54
FUJ00088557
FUJ00088557
Wide Area Network HLD
he)
FUJITSU Commercial in Confidence
B_ Circuit requirements
The following section identifies new circuits required for the proposed design.
B.1 IRE11 and IRE19
New C&W IP Connect circuits at 155Mb/s to each of IRE11 and IRE19. Each circuit is required to be
diversely routed from the other.
In addition, the following circuits will be required:
e ISDN2e circuit in each data centre for MoneyGram International (MoneyGram will provide their
own Frame Relay service into each data centre)
e PSTN circuit in each data centre for EMC dial access (requires verification)
e PSTN circuit in each data centre for Fujitsu Siemens dial access (Bladeframe support) (requires
verification)
«PSTN circuit in each data centre for Alarmpoint dial-out.
B.2 Regional support sites
New 2Mb/s C&W IP Connect circuits required at:
e STE04 -2 circuits each with CE router, diversely routed
e CREO2- 2 circuits each with CE router, diversely routed
e WAR‘13 - 2 circuits each with CE router, diversely routed
Alternatively, connectivity for these sites could be provided via FSBN VPNs direct to IRE11/19 subject to
suitable CIS firewalls being deployed at IRE11 and IRE19.
B.3 Post Office Limited
New C&W IP Connect circuit at Maidstone required for EDG DR Service
e 1 circuit (unprotected) at 2Mb/s with 1:1 contention
B.4 Streamline
New X.25 service from TNSI International required at IRE11 and IRE19
Dedicated ISDN line required in each of IRE11 and IRE19
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref DESINET/HLD/0009
Version; V1.4
Date: 16/11/09
UNCONTROLLED IF PRINTED Page No: 53 of 54
fee)
FUJITSU
Commercial in Confidence
Wide Area Network HLD
FUJ00088557
FUJ00088557
B.5 Circuits for cessation on completion
The following table lists the circuits that can be ceased on completion of all Horizon and HNG-X
migration activities.
Circuit reference 2
(CE router) Vendor Bandwidth A-end B-end
NXUK262233 BT 64kb/s IRE11 WGNO1
NXUK262208 BT 64kb/s IRE19 WGNO1
NXUK262200 BT 64kb/s IRE11 WGNO1
NXUK263257 BT 2Mb/s IRE11 BTLO1
NXGB232821 BT 192kb/s BTLO1 CREO2
NXGB232822 BT 192kb/s WGNO1 CREO2
1SA53223
(064-128-001) C&W 2Mb/s BRAO1 nla
1SA53743
(u064-126-002 caw 2Mb/s BRAO1 nla
1SA2533720
(u064-122-001) caw 2Mb/s BRAO1 na
1SA2533724
(u0e4-122-002) caw 2Mb/s BRAO1 nla
1SA2533725
(u064-122-003) caw 2Mb/s BRAO1 nla
1SA2533726
(u0e4-122-004) caw 2Mb/s BRAO1 nla
1$J2611923
(9133-116-001) caw BRAO1 nla
©Copyright Fujitsu Services Ltd(2009) ‘Commercial in Confidence Ref: DESINET/HLD/0009
Version: = V1.1
Date: 16/11/09
UNCONTROLLED IF PRINTED PageNo: 54 of 54