Discovery Network Description and Proposed I2 Implementation 1
The Point ● Main users of I2 likely not permitted on FS network – Russia project (Rackspace) – Air quality forecasting (NWS / Direct Broadcast) – Anything Cray – Anything w/non-I2 external collaborators ● So...connect I2 to something we can use. 2
What we need ● Collect our “banished applications” under one umbrella for easier management. ● Retain ability to collaborate with external parties. 3
Proposal ● Create a space for Research ● Connect I2 to that 4
Vision/Requirements 5
Requirements (Access) Users on the FS Network can seamlessly access items on the Discovery Net- ● work or on the web. Users on the Discovery Network cannot access the FS Network. ● The Discovery Network (DN) is divided into the "Public Discovery Network" ● (WebDN) and the "Protected Discovery Network" (PDN) Protected Discovery Network Access ● Users on the PDN can seamlessly access items on Internet2 or the – web. The PDN is the "default" network assigned to unrecognized ma- – chines connected to the local physical network. Public Discovery Network Access ● WebDN accepts inbound traffic from the public internet. – 6
Requirements (Services) Users on the Discovery Network can authenticate using Forest Service Active ● Directory or the External Users Active Directory. Users on the Discovery Network have access to the printers in the building. ● A well defined portion of the External Users Active directory is locally managed ● (either directly or via tickets). DNS and DHCP provide human readable, locally managed names to recognized ● machines on the Discovery Network. The namespace should be something under fs.usda.gov. DHCP may be locally configured (or requested to be configured) to allow specific ● machines a static IP address. Remote users (FS or external) can VPN in to the PDN. ● Remote servers can VPN into the PDN or WebDN. ● Separate, locally managed, firewalls must be set up between the public internet, PDN ● and WebDN. 7
Requirements (Permission) ● Activities and software on the Forest Service network are forbidden unless specifically permitted. ● Activities and software on the Discovery Network are permitted unless specifically forbidden. 8
Observation ● Firewall separating FS network from Discovery network can be same as FS ↔ Public Internet 9
Local Scale Implementation 10
Analogies ● NWS net = FS net ● Cray Network = Discovery Network ● DSL line = Internet2 (ish) 11
Local scale status ● Cisco 3560 switch configured for traffic isolation at level2 ● Need to configure firewall/router to connect the pieces – Intend to connect Cray net to DSL – Connection of NWS to Cray net is certain – NWS ↔ DSL requires a great deal of care, may be skipped 12
Relationship to I2 ● CIO “scales up” my local implementation using analogy – multiple switches – remote administration/mgmt – method to request firewall changes (tickets?) 13
Desired Result ● Collaboration ability retained ● Provide environment for banished applications ● CIO assumes responsibility for networks ● Solution can be deployed elsewhere 14
Questions? 15
Recommend
More recommend
