23 March 2007
HNG-X Networks
FUJ00098218
FUJ00098218
Fre)
FUJITSU
THE POSSIBILITIES ARE INFINITE
HNG-X
Network
Architecture
Mark Jarosz
Principal Network Architect
© Fujitsu Services 2004
FUJ00098218
FUJ00098218
Agenda
¢ Current Horizon Network
« Major Milestones / Performance / Overview
¢ HNG-X Network
« Branch Access
¢ Data centre {LAN, SAN, Inter Campus}
¢ Wide Area Network
« External interfaces
¢ Migration
* Questions
2 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
Current Horizon Network
¢ Major Milestones
* 1998 to 2000 — rolled out over 17,000 branches with ISDN dial on demand
(and satellite for those sites that couldn’t get ISDN)
Secured with VPN based on IPSEC technology
2002 moved to “always on” ISDN service to support banking
2004 Rollout of ADSL — 9,500 branches
2005 Network Backup facility for branches provided
¢ ISDN automatic backup for largest 2,000 branches
« “On demand” backup using mobile technology (engineer turns up if fault lasts for more
than 2 days)
2006 / 2007 Moving to Fujitsu Services ADSL
3 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
Current Horizon Network
¢« Measures
¢ All online Transactions
* per month - 35.5 million
¢ Peak online TPS — 186
° % Failure Rate — (Approximately) 0.33
¢ DVLA Transactions
* per month - 3.7 million
Peak online TPS — 33
% Failure Rate — 0.45 (but also includes any non Horizon DVLA failures)
DVLA services use Web services technology
Feedback to Post Master when network not available
4 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fe)
FUJITSU
Current Horizon Network
FUJ00098218
FUJ00098218
Access Neworks
Clients / RMG /Support
I
Inter Data Centre Network
IP/ SAN
j BE Branch Size
Data Centre 1 Data Centre 2 1 Counter > 5,000
10+ Counters < 150
Average 2 counters
Branch
Network Throughput
Average branch = 6 k bps
Average of largest branches = 22 k bps
I Security
ADSL, ISDN I VPN within Branch and to Data
centre
LJ LJ LJ
1 0) 1 Ce)
(a I Cc Siavf PC PC ‘Slavp PC
=) C= Hub
Gateway PC Slave PC
Large branches with hub
imj_Router_Rollout_v2.vsd
Horizonw
Small branches without hub
5 © Fujitsu Services 2004
7/21/2022 COMPANY RESTRICTED
Fe)
FUJITSU
HNG-X Network Branch Access 1
FUJ00098218
FUJ00098218
« Main changes
Branch Router replaces software Router on Gateway PC
GPRS / 3G backup everywhere & Wireless WAN service provider interconnect
Auto provisioning over ADSL
Simplification / consolidation as a result of reducing ISDN dial capacity
Application Support
* Moving from UDP messaging to Web Services
Security
* Removal of IPSEC VPN
Location — data centre delivery
- Reuse
* Common ADSL infrastructure & Data centre handoff model
6
© Fujitsu Services 2004
7/21/2022
COMPANY RESTRICTED
cO
FUJITSU
FUJ00098218
FUJ00098218
HNG-X Network Branch Access 2
Branch Network Strategy
Version 0.6
07/08 09/1 0-
Primary Network
10,500 branches 5.500
5.500 11,000
1
1
i
i
i
i
‘ADSL- IP Stream Home
Vaan i
ISDN Voice
iy, ‘
ADSL - C&W Data Stream
i
500 expected to heduce with rofout of branch
T
ISDN Data
ISON FRIACO.
1700
To ADSL
vear 142
\VSAT BB oo
Backup Network i
ISON Backup Se
on Demand Mabie. NON USAT Branches dibjectto mobie sana) >I > !
“Al Branches (subject to mobile signal)
Tfchnotogy enabled
i
i
i
i
i
Ha
i
i
i
i
es Snare Fa
GPRSIEDGESG
Nailed up ISON PSTN
Branch Network Device
14.000
RAS Gateway PC
Branch Router
140, 60,
VSAT Gateway PC
imj_Router_Rallout_v2.vsd
Branch Strategy
7 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
HNG-X Network Branch Access 3
Data Cantre 1 ata Centre 2
Branch Access Network
GSM Reciever
UMTS/GPRS
Backup
I ast
I ISON
Rouse LJ LJ L] LJ
= GatewpyPC Sf PC Siavp PC Stavf PC
Laptop fat
fofez=xole)
Mobile Counters Sater
Small branches without hub Large branches with hub
mj_Router_Rollout_v2.vsd
HNGXROuterOverview
8 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
HNG-X Data Centre 1
¢ Main changes
¢ Application Support
¢ Moving from UDP messaging to Web services model
¢ Provision of SSL Termination
* Security
¢ Intrusion Detection System and Intrusion Prevention System
« Network Services
* DNS / Naming support
¢ Logging - EnVision Network logging platform
¢ Move to Fujitsu Services Data Centres with Active / DR model
¢ Network Workload
« More connection setup / clear down but less data
* 50 TCP connections / second to 800 TCP connections / second
9 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fe)
FUJITSU
FUJ00098218
FUJ00098218
HNGX Network Data Centre 2
« Reuse
* Cisco Catalyst switch for within data centre connections to servers
Fibre channel for extending SAN between Data centres
Web services — Global Load balancing approach
Internal Firewall module
Network Management solution / technology
10 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
cO
FUJITSU
FUJ00098218
FUJ00098218
HNGX Network Data Centre 3
¢ Inter Campus Services
¢ SAN extension (2 G Fibre channel)
¢ IP Traffic (1 G Ethernet)
¢ Interfaces from managed shared service
¢ Resilient services based on two separate Dark Fibres between Data
Centres each terminating on separate Component (DWDM)
¢ Latency bounded as point to point services with max specified distance
¢ SAN
¢ The SAN connectivity for HNG-x will be implemented using Cisco MDS9509
Director Class fibre channel switches in order to take advantage of the
added availability and stability associated with this class of hardware.
¢ There will be a two SAN Directors deployed at each HNG-X data centre.
Both power and FC cabling will be fully resilient
11 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fe)
FUJITSU
FUJ00098218
FUJ00098218
HNGX Network Data Centre 4
¢ LAN Design model
* Logical
¢ Network Layers - Core / Distribution / Access Layer
¢ Security
* Tiers (inner / outer / DMZ)
* Traffic separation
* Components
¢ Load Balancer
SSL Termination
Inside Firewall
Outside Firewall
IDS / IPS
12 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fe)
FUJITSU
FUJ00098218
FUJ00098218
HNGX Network Data Centre 5
¢ LAN Design model
« Physical
¢ Pair of Cisco Switches (6500) in Core / Distribution layer with Intercampus
connectivity and for Firewall / Load balancing
¢ Pair of Cisco Switches (6500) in Access layer with Intercampus connectivity
and for SSL Termination
¢ 3 Physical DMZ’s each with dedicated outer firewall pair
13 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fe)
FUJITSU
HNGX Network Data Centre WAN 1
FUJ00098218
FUJ00098218
Wan Landscape
Version 0.2
NO ae)
NS
pon) («fk )
Lewo2 =) Koran)
Key <—>
) (bgmate,») [Pom Data
Grey shading Seaton (8) / I Contre
tobe migrated —
14
© Fujitsu Services 2004
7/21/2022
COMPANY RESTRICTED
Fe)
FUJITSU
FUJ00098218
FUJ00098218
HNGX Network Data Centre WAN 2
« Reuse
« Same approach to Wide area network services, specifically use of
MPLS clouds
¢ Use of existing circuits and interconnects where appropriate
15 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
HNGX Network External Interfaces 1
* Interface between HNG-X and third party
¢ Not just connection but formal interface e.g. EPAY, DVLA
* Two classes
¢ Interface is remote from data centre
¢ Examples DVLA, RMG, EPAY
« Interface is local to HNGX data centre
« Examples Streamline, Link and EDS
¢ General approach
¢ Remote interfaces;- no change to Physicals, IP routing and IP addressing
¢ Local interfaces;- Agree Interface changes to support new data centres
¢ All interfaces;- Agree operational acceptance method & criteria
16 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
HNGX Network Migration 1
¢ Data Centre Phasing
« New Data centres join network
« 4 Data centre working phase (single network)
¢ Old Data Centres leave network
« Examples of Techniques being used
¢ Traffic steering via IP Routing for Branches
¢ Subnet migration resulting from constraint on keeping IP addresses the same to
simplify data centre move
17 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fe)
FUJITSU
FUJ00098218
FUJ00098218
HNGX Network Migration 2
¢ Application Phasing
¢ All Branches on Horizon
« Some Branches on Horizon and some on HNGxX (application perspective)
« Network changes during application switch
* Removal of Horizon VPN between data centre and branch and removal of within
branch Horizon VPN
¢ New Branch LAN IP address
¢ Branch Network
* Introduction of New network services to branches;
Mobile (GPRS/EDGE/3G)
¢« Removal of Satellite service to branches
¢ Migration of ISDN sites to ADSL
¢ Branch Router replaces Gateway PC Software Router
18 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fe)
FUJITSU
FUJ00098218
FUJ00098218
* Questions?
19 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fe)
FUJITSU
FUJ00098218
FUJ00098218
Load Balancer
¢ Cisco Content switching module
¢ Performance
¢ 1 million concurrent TCP connections (Design target is 34,954)
* 165,000 connection setups per second at Layer 4 (Design target is
828)
¢ Total combined throughput of 4 Gbps (client to server and server to
client) (Design target is < 32 Mbps)
¢ 1.25 million packets per second (Design target is <17,000)
* 16,384 Real servers (Design Target < 40)
¢ Currently used today in Horizon (DVLA, PAF and LINK
banking)
20 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
SSL Offload
¢ Cisco SSL Module
¢ Performance
« 3000 new connections per second (Design Target is 583)
* 60,000 simultaneous connections (Design Target is 34,954)
¢ The SSL Module can support up to 300 Mbytes /sec of bulk encryption
(design target is 4 Mbytes /sec)
21 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
Firewall
¢ The Cisco FWSM provides;
¢ * 100,000 connections per second (design target is 828)
«* 5 G bps throughput (design target is 35 M bps)
¢ * {million concurrent connections (design target is 34,954)
22 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
Network Layout
¢ Same approach to Wide area network services and reuse of
circuits
¢ Data centre core components same as in Horizon
* Cisco Catalyst switch for within data centre connections to servers
* Cisco Fibre channel switch for extending SAN between Data centres
23 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
Horizon Branch - Gateway PC (Software Router)
FUJ00098218
FUJ00098218
HSCSD Dialled Calis:
ye Reciever Orange
GSM Modem
(HSCSD) Kingston
I Serial #2 Telecom
Seiad 71 pcre ISDN Direct Dial to Data Centres (“Voice”)
CEM [sow
RAS ADSL ISDN Routers
Gateway PC
ISON §
PSTN IP (L2TP)
CVX
BT DLE
(4 of 700)
BT
BT Local Prxchange seen ATM
(1 of 6000) i a Energis
VPN Servers
Data
Centre
ia
ATM peace iil iil js! P (L2TP)
ADSL—Fujitsu Services [imi mil
IP Stream BT BAS ENS
(ml Fujitsu
Services
i G
VSAT
Gateway PC >
Wess 4
PES& Dish Earth Station
24 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU
FUJ00098218
FUJ00098218
HNG-X Data Centre
VLA Access LAN
\
S_\
pay Access LAN
treamLine Access LAN
lient DMZ LAN
Load Balance
Client
omz I I
entral VLAN (may be more than one LAN
Inside ffirewall
Central N
Servers IDs
Inside Firewall
Radius
Sewers Servers
= I
ranch DMZ LAN
aliBranch Support I Resilient WAN
DMZ I 1
ee er) 1 ere
Resilient LAN
ranch Access LAN Support Access LAN
J Note: Management LAN for network an ;
devices and console access not shown _ Live Site I DR Site
25 © Fujitsu Services 2004 7/21/2022 COMPANY RESTRICTED
Fre)
FUJITSU