Version 1.0 July 2015 LHR Airports Limited see photolibrary.heathrow.com Managed LAN Technical specification
Managed LAN Technical specification Version 1.0 July 2015 2 Contents Introduction 3 Service overview 4 High level design 4 Options 6 Contacts 8
Managed LAN Technical specification Version 1.0 July 2015 3 Introduction Heathrow has been the busiest international hub airport in the world for the past decade, handling more than 70 million passengers on an annual basis. In order to successfully cater for such an extraordinary high volume of traffic, the airport operation must be based on using a robust groundwork, providing a reliable, uninterruptible service. The IT infrastructure at Heathrow has been built to meet challenging criteria, and is being constantly upgraded to adopt the latest innovations and standards. Its proven design can handle the daily routine operation, as well as cope with unexpected events. The Managed LAN service is the core offering within the Heathrow s Commercial Telecoms portfolio. It provides a secure, reliable, flexible and inexpensive solution to network data and IT systems within a given terminal or terminals. Customers can connect end station equipment (PCs, printers, servers, workstations) directly to the LANs ethernet infrastructure while Heathrow seamlessly facilitates connectivity. The Heathrow s Managed LAN service delivers an impressive stability at unbeatable costs. Please note: These prices are subject to a signed contract.
Managed LAN Technical specification Version 1.0 July 2015 4 Service overview The Heathrow Airport Managed LAN service delivers an environment connecting together multiple sites and uses the industry standard technology to deliver secure scalable customer VPNs. The service, wrapped in the ITIL service management set of practices, focuses on aligning the IT services with the needs of your business. The service runs over Heathrow s proven Cisco 3-layer hierarchical network, with significant separation and diversity, providing the highest levels of resilience and availability. A modular network design means that supporting changing business requirements can be completed efficiently with the agreed SLAs. The use of layer 3 MPLS (multi protocol label switching virtual private networks) provide logical and secure segregation of customers. The infrastructure fully supports the transport of voice, data and video. The Heathrow LAN is capable of running QoS, is configured to do so, and will be deployed where appropriate. The Managed LAN service will conform to the requirements of Payment Card Industry (PCI). Should a customer require the current certification for their own compliance requirements, access to the current certification will be made available on www.heathrow.com. High level design Heathrow invested significantly in its network architecture in 2008, under its capital investment programme (CIP). This replaced a legacy infrastructure that had grown organically with numerous single points of failure. The legacy infrastructure had triggered a number of significant outages that had a knock on impact to the airlines operating out of Heathrow. Approach Ahead of making any investment, Heathrow considered the key business requirements and concluded these to be resilience, capacity and scalability. Investment in resilience would optimise uptime and a corresponding approach to capacity would ensure optimal network performance at all times. Scalability was considered key in order that the network could expand or contract in-line with changing business requirements and adapt to increasing data consumption without the need for a wholesale refresh. These principles amongst many others are recorded in the network building blocks. These building blocks set out Heathrow s approach to its data network architecture and remain a key reference source for those developing and maintaining the network, ensuring an on-going integrity and avoiding implementation of bespoke solutions. Resilience The approach to resilience was considered from a number of perspectives. One perspective is a physical one, where equipment that is duplicated (core/distribution layers) is at different locations. This hardware has two power supplies and are provided power feeds which are also diversely provided from different supply stations and energy providers. The fibre optic connectivity that connects these devices never shares a cable or uses the same pit and duct system. The same is true of connectivity from the distribution to access layer. The second perspective is that of logical routing or connection of data paths. In order to mitigate single points of failure at the access layer, end user devices are spread across different (access layer) switches, a practice known as interleaving, which means each end user device is provided with a live LAN port fed from two different access layer switches, each fed from a different north or south power supply. A long sequence of multiple events needs to occur to have a widespread impact to services following the failure of the network. Heathrow applies these same principles across the common infrastructure, namely at Terminals 2 and 5.
Managed LAN Technical specification Version 1.0 July 2015 5 Service overview Core Si Si Si Si Si Si Si Si Distribution Access Capacity The approach to capacity takes into account all the services that run over the network. These range from voice and video all the way through to bag messaging. It was important that the network had the capacity to support all these services. Within the network the links between core and distribution devices are 10Gbps. The links between the distribution and access devices are normally 1Gbps. At the access layer a client or end user device is able to connect at speeds from 10Mbps to 1Gbps, depending on the location. Where 1Gbps is allocated to a client device then the uplinks to the distribution layer are increased to 10Gbps. In terms of the service provided to airlines for the common use systems, the configuration at the access layer and distribution layer will always provide a minimum of 100Mbit/s to the end user device. The Heathrow LAN is also capable of running quality of service (QoS) and is configured to do so. Heathrow has QoS policies in place which give higher priority to specifically voice (for IPT) and video (for CCTV). Once utilisation exceeds defined early warning indicators then each separate system will be prioritised by a class of service (CoS). The early warning indicators are defined within Heathrow s capacity management tool and once exceeded automatically generate an incident in the service management toolset for follow up investigation. As a safety precaution, a manual review of utilisation is undertaken monthly. Scalability The adoption of a scalable infrastructure was intended so that a wholesale refresh of the network architecture could be avoided unless there was a major change in the vendor roadmap. This means that the network can be expanded or contracted as business requirements dictate. A good example of this approach to scalability is the use of the modular network devices in the core and distribution layers. Over the time, capabilities can then be added or removed without the need to replace the whole device. This can reduce cost minimising both downtime and risk but also permits a longer term of use of such an asset, thus providing a better return on investment.
Managed LAN Technical specification Version 1.0 July 2015 6 Service overview Network management The Heathrow network is supported by highly qualified and competent resources, and a combination of complimentary network management tools. Network management is undertaken by a set of tools selected for their relevant strengths. At the centre is EMC Smarts which provides real time information about the status of the network to the engineering teams. This capability includes the automatic raising of incidents in the service management tool once defined thresholds have been breached. Alongside is Concord ehealth which acts as a capacity and availability reporting tool to identify trends over time. Configuration management is controlled by alterpoint device authority. This is a powerful capability that governs change on the network through its policies and also provides an advanced capability for the backup, configuration and regression of network changes. Security Heathrow network service is aligned with the principles of the ISO 27001 International Information Security Standard. For encryption and authentication of the private customer networks, the Internet Protocol Security (IPSec) is used. All access ports have bridge protocol data unit (BPDU) guard enabled which prevents rogue switches from connecting to the secure network, protecting the data centre core. The inter-vpn security is provided by firewalls using the virtual domains (VDOMs) to create a virtual firewall for VPN to maintain the integrity of the MPLS VPNs. The inter-vpn traffic is then governed by the firewall rules set specifically for each VDOM. Options MPLS Virtual Private Network Whenever there s a need to provide managed LAN service across multiple airport terminals, a MPLS VPN is deployed. It allows a device to connect across the terminals to other devices on the same MPLS VPN. The MPLS VPN is configured for the customer over the Heathrow s MPLS backbone, benefiting from the functionality, security and management policies of the private network. The design of the MPLS VPN is based around layer 3 VLANs deployed in terminals which are part of the same Virtual routing table (VRF) that allows them to communicate with each other as if they were all directly connected to the same private network. The customer is just presented with ethernet ports at the access layer and Heathrow manages the rest of the infrastrucutre leaving the customer to get on with their day to day activities. The MPLS VPN can have an egress point to a WAN circuit for external connectivity out of Heathrow Campus. This can be to the company s HQ or DC for corporate services. Edge site Core Edge site Terminal 3 VPN A VPN A PE PE MPLS VPN B VPN B PE PE
Managed LAN Technical specification Version 1.0 July 2015 7 Service overview Virtual local area network Within a single airport terminal, a virtual local area network VLAN is deployed. A single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, Virtual LAN or VLAN. Each customer is assigned with its own dedicated virtual network, without a possibility to be used or connected to by other customers, while sharing and running on the common infrastructure with the other virtual networks. Terminal domain DSCR DSCR VLANs SCR SCR SCR SCR Storage Lounge Lounge Storage DSCR (distribution communications room), main communications rooms, two in T2A and T2B for example. These house domain level network devices, routers and switches. Physical resilience is provided utilising two geographically separated DSCR rooms for each IP domain. SCR (secondary communications rooms), multiple communications rooms located more frequently across Terminal 2. House access layer switching, have 10U lockable compartments and are located to provide optimal coverage for the Cat6 structured cabling layout. (consolidation point), located every 5m2 across the terminal, s are what makes the Common Infrastructure as flexible as it is. s can serve one or more demises, and each has up to 12 data ports. For areas where a high number of ports are required, Heathrow can flood these areas with more s. Bandwidth 10 Mbit/second Suitable for specific purposes, like telephony 100 Mbit/second A frequently used option, sufficient for most of the applications 1000 Mbit/second Provision for the most demanding data transfer requirements
Contacts Contact: 0208 745 6565 Email: Contact Address: Heathrow@sita.aero Compass Centre, Nelson Road, Hounslow, Middlesex, TW6 2GW Legal Notice Heathrow Airport Common Infrastructure Policy (CIP) and Heathrow Airport Limited reserves all of it rights and remedies in respect of the CIP including but not limited to those rights relating to scope, application and enforcement. The rights and remedies set out in the CIP are in addition to, and not exclusive of, any rights or remedies provided by law. This document and the information contained therein are confidential and remains the property of Heathrow Airport Limited. The document may not be reproduced or the contents transmitted to any third party without the express written consent of Heathrow Airport Limited. This document and information contained therein is subject to contract.