In this year’s November, the project Renewal of the Campus Network Backbone has been completed. Its goal was the replacement of the layer-3-switches at nine university locations, as well as to replace the firewall technology used in the backbone. As a result, the university locations are now equipped with state-of-the-art network technology – for redundant and high-performance connections with 100 GB/s between the individual locations.
The project first began in summer 2017, when an application for large-scale equipment was submitted to the Saxon State Ministry of Science, Culture and Tourism (SMWK). The funding of approximately 1.5 million euros was approved just under a year later. In an initial test phase, the latest Cisco Catalyst 9500 switch generation, which was still in development, was tested in an URZ laboratory environment until autumn 2018. By participating in the Early Field Trial (EFT), important software features could be tested and optimised directly with the manufacturer. Thus, every thing was ready to order and after a while two pallets with 700 kg of switch and firewall technology reached the URZ office at the beginning of 2019.
It was now possible to test everything again and plan the migration. The conversion of the backbone was performed gradually. Firstly, the university part Wilhelm Raabe Street was converted. Since it is a small location, problems that would only become apparent in a productive environment would not be offered a too wide field. Fortunately, in the following months, the other locations were also converted largely without difficulties. On 30 October 2021, the last and most complex migration took place at the X-WiN/Internet access, with the replacement of the router and the firewall.
For all those technically interested people, below are given some information on the transmission techniques and protocols used in the backbone:
The set goal of the project was to increase the bandwidth. Connections between the university areas are now mainly based on 100 Gbps uplinks, which can be bundled as needed using EtherChannel (max. 8). Even though there are currently no bottlenecks to fear with this bandwidth, the Voice-over-IP traffic in the backbone is transmitted prioritised by means of Quality of Service. To a large extent, the optical fibres in the backbone are leased from Deutsche Telekom and Eins Energie. The data transmission over these leased lines is encrypted using AES-256 at the hardware level.The IEEE 802.1AE standard is used here. If necessary, the current 2 x 10 Gbps uplinks can be converted to 2 x 25 Gbps uplinks to connect the floor nodes to the backbone. The proven routing protocols OSPF and OSPFv3 are still responsible for the internal routing of IPv4 and IPv6.
The network virtualization takes place by means of Virtual Routing and Forwarding (VRF) and Multiprotocol Layer Switching (MPLS) in connection with Layer3-VPN. This means that campus-wide security zones are operated. The Internet connection is still implemented redundantly via the connections to the X-WiN nodes in Leipzig and Berlin, with the external routing and load sharing being implemented using the Border Gateway Protocol (BGP). Four appliances from the Cisco Firepower family are used as firewalls. Several virtual firewall instances, which control the data traffic in the data center and to and from the campus-wide security zones, run on two of these appliances. Two further appliances secure the university’s Internet access using filter rules and take care of the NAT address translation for network areas with private IP addresses such as those from the WLAN. All layer 3 switches and firewalls are designed redundantly so that network interruptions in the event of software updates or defects are minimized.