Vancouver 2010 Winter Games The most technologically advanced network

Document Sample
Vancouver 2010 Winter Games The most technologically advanced network Powered By Docstoc
					    Vancouver 2010 Winter Games:
    The most technologically advanced
    network in Olympic history
    by Dean Frohwerk (Nortel), Simon Edgett (Bell), and Greg Moore (Nortel)

When the Olympic Flame is lit at the opening ceremonies for the                      During the 17 days of Olympic events
Vancouver 2010 Olympic and Paralympic Winter Games on February                       and 10 days of Paralympic events,
12, 2010, it will represent the culmination of years of dedicated                    some 192,000 sports timing, distance,
preparation by the athletes participating in the event. In much the same             or scoring events will be captured and
way, it will mark the culmination of years of designing, testing, and                10,000 hours of television coverage will
deploying the communications and data network that will be critical to               be broadcast to 3 billion television view-
the success of the Games. The Vancouver Organizing Committee for                     ers in 160 countries – 20 times more
the 2010 Olympic and Paralympic Winter Games (VANOC), Bell – the                     viewers than the U.S. Super Bowl. The
official telecommunications provider of the first-ever all-IP Games                    Games will host 5,500 Olympic and
– and Nortel – the official converged network equipment supplier – are                1,700 Paralympic athletes and officials
working together as one team to deliver a secure, reliable, end-to-end               from more than 80 participating coun-
communications experience for the Olympic family of athletes, media,                 tries, as well as 10,000 members of the
officials, and spectators at the Vancouver 2010 Winter Games. While the               media, 25,000 volunteers, and up to 1.8
goal of technology is to be invisible during the Games, significant effort            million live spectators at various venues
is taking place behind the scenes to deliver a flawless communications                in Vancouver and Whistler.
experience to all those involved.                                                        Operating behind the scenes, and
                                                                                     critical to the success of the Games, will
        very four years the world stops   excellence. Reflecting the growing in-      be a highly robust, secure, and available
        to watch the Olympic Winter       ternational scope and significance of the   all-IP network – the first in Olympic
        Games. It’s a true symbol of      event, the Vancouver 2010 Olympic          history – delivered by Bell and built
global cooperation, of setting goals,     and Paralympic Winter Games will be        using Nortel technology. Nortel will be
achieving dreams, and recognizing         of a scale beyond anything seen before.    supplying converged wide area network


1   Nortel Technical Journal, Issue 7
(WAN) equipment to Bell, the official        • The Games have extremely unusual          one million attacks against the Games
telecommunications services provider,       traffic patterns: The network not only       network – both planned and unintend-
as well as converged local area network     needs the capacity to support all the       ed. Detection and isolation from these
(LAN) equipment to the Vancouver            different devices and users, but it also    attacks is critical to protect not only
Organizing Committee for the 2010           needs to be flexible enough to quickly       against intentional threats coming from
Olympic and Paralympic Winter Games         and automatically adjust for rapid and      outside the network, but also from un-
(VANOC). As a result, Nortel voice and      unpredictable changes in traffic pat-        intentional threats arising from inside it.
data equipment will provide the end-        terns. In particular, the network must         Since Bell is delivering an all-IP
to-end infrastructure for the Games.        have the capacity to deal with sudden       Olympic Games on all-Ethernet infra-
Together, Bell, VANOC, and Nortel           peaks in traffic. Consider, for example,     structures, the traditional Olympic net-
will deliver the most technologically       the downhill ski finals, where hundreds      work model is getting a much-needed
advanced network in the history of the      of photographers will be lined up to        overhaul. Previous Olympic Games had
Olympic Games.                              capture images of the racers as they        separate networks for voice, Games-re-
   The all-IP converged network for         cross the finish line. They’ll hold their    lated data, Olympic family Internet ac-
the Vancouver 2010 Winter Games             fingers down and take 10 pictures in a       cess, and other services. The Vancouver
will span 15 Games venues and nu-           single second – each picture being 15       2010 Olympic Games will operate on
merous non-competition sites (e.g.,         megabits in size – and the photos will      a converged Carrier Ethernet network
two data centers, two media centers,        be transmitted back to their editing        that will deliver carrier-grade voice ser-
two athlete villages, two ceremonial        areas so that within minutes they can be    vices, Games-related data applications,
sites, and VANOC headquarters) in           up on the Internet. With 60 races fol-      the Games administration network, and
Vancouver and the coastal mountain          lowing one after another, there will be     wired and wireless Internet access.
resort of Whistler, 120 kilometers away.    60 peaks where network traffic will cycle       Delivering the different network
It will support some 15,000 Voice           from zero to gigabytes and back to zero.    services across this same infrastructure
over Internet Protocol (VoIP) phones,       • Real-time network access is criti-        provides many synergies. For example,
7,000 mobile phones, 500 wireless           cal: Immediate access to the network        this converged network enables Bell, the
access points, and more than 40,000         will be critical for some very demand-      official telecommunications services pro-
wired and wireless Ethernet ports on        ing customers – like journalists and        vider, to streamline their management
a 10 gigabit per second (Gbit/s) core       photographers needing instant access to     and administration processes. It enables
network.                                    the network for filing stories or sending    the integration of the Nortel Secure
   Building this network to meet the        images from remote venues, and athletes     Network Access (NSNA) system into
high expectations of VANOC, specta-         needing to communicate with their           the converged network design, enabling
tors, and participants is a challenging     coaches anytime, from anywhere.             mobility and ease of use. For example,
undertaking. Being a truly hypercon-        • Nothing less than 100% avail-             Bell and VANOC can share network
nected event, the network must have         ability and reliability is acceptable:      access switching, enabling applications
the flexibility to accommodate the huge      Equipment must be installed very            to be streamlined to reach through to
number of different devices that need       quickly and must work flawlessly.            any user on any network segment as
to be connected, while providing simple     An athlete who has broken a world           appropriate.
and secure access to its subscribed ser-    record cannot be asked to repeat the
vices over wired, wireless, and Internet    performance because of a network            Carrier Ethernet Core network
connections. The network must also be       glitch. According to Andy Platten, Vice     At the heart of the 2010 Games
able to deliver anytime, anywhere access    President of Technical Infrastructure for   Network is the Sea to Sky Carrier
to information and ensure that critical     VANOC, the 2010 Games network will          Ethernet Core network that intercon-
Games data (such as timing and scor-        be roughly of the same complexity and       nects the four main Olympic sites – two
ing) is captured and relayed accurately,    size as a large banking institution. But    in Vancouver, one in Whistler, and the
reliably, and instantaneously.              at the Games, it will be like launching     broadcast center also in Whistler (see
   Indeed, the requirements of the          all the branches on the same day, with      Figure 1 on page 34.)
Vancouver Games are pushing the             all the systems working perfectly from         The Layer 2 (L2) Ethernet core will
frontiers of networking, setting the per-   the very start. The network must work       be built out using Nortel’s Ethernet
formance bar higher than ever before.       flawlessly – downtime is unacceptable.       Routing Switch (ERS) 8600s. Diverse
Designing, deploying, and operating         There are no retakes, and there is no       10 gigabit Ethernet (GE) links will con-
an Olympic and Paralympic Games             margin for error.                           nect each venue back to the core. To
Network presents a number of signifi-        • Security is an absolute requirement:      meet the extremely high resiliency re-
cant challenges, including:                 It is estimated that there will be over     quirements of the Games, these 10 GE


2   Nortel Technical Journal, Issue 7
LAN circuits will set up a full mesh split   to reroute failures as quickly as possible.      larger numbers of discrete flows. The
multi-link trunking (SMLT) core be-             Within the 2010 Games network the             network design allows multiple levels of
tween the ERS 8600s located at the core      general philosophy will be to perform            Quality of Service (QoS) to deliver the
sites. SMLT is a Nortel innovation that      as much of the heavy lifting (i.e., clas-        appropriate QoS for each user and ap-
helps eliminate single points of failure,    sification and marking) as possible at            plication. The various Olympic services
at both the nodal and card levels, and       the access switch layer. This allows any         (i.e., VoIP, Internet, and Admin) will
creates multiple paths from user access      packet inspection that needs to be done          all have a dedicated level of QoS and
switches to the core of the network.         to be pushed as far out into the network         dedicated hardware queues throughout
Compatible with IEEE 802.3ad, SMLT           as possible, thereby reducing the perfor-        the network.
provides architecture to design resiliency   mance impact on core switches with their             While the vast majority of the 2010
directly into the network. It also works     higher aggregate interface speeds and            Games traffic will be Ethernet, there is


  Figure 1. Carrier Ethernet Olympic Core network

     Carrier Ethernet core


                                                             Sea to
                                                              Sky
                                                            photonic
                                                              core




          SMLT                 SMLT                                                          SMLT                    RSMLT




       Whistler             Whistler                                                       Vancouver             VANOC Admin
       venue                venue                                                          venue                 network


         ERS 8600                  OME             ERS 5520                 ERS 8600                      10GE                   E/FE
         core switch (L2)          6500            Access Switch            core router (L3)              GE

  The Carrier Ethernet Olympic Core network provides                 equipped with multiple ERS 5520 Access Switches and
  the Layer 2 (L2) infrastructure for all the IP/Ethernet            pairs of L2 ERS 8600 switches running split multi-link
  services for the Vancouver Winter Games, including the             trunking (SMLT) technology, which provides both nodal
  Voice over Internet Protocol (VoIP) network, Internet              and card-based redundancy. In the VANOC Admin L3
  (Netzone and private IP services), VANOC Admin                     network, routed SMLT (RSMLT) is used for added
  network, the Games network, and the Rate Card                      resiliency. Within greater Vancouver, the network is
  Transparent LAN (Venue Connect, which supports the                 delivered across diverse 10 Gibabit Ethernet (GE) dark
  purchase of Ethernet bandwidth by the slice for                    fiber paths.
  orderable services for sports, media, broadcasters, and               The core network between Whistler and Vancouver is
  other Olympic family officials).                                   built on a Nortel OME 6500 common photonic layer
     The Core network is built upon the architectural                (CPL) dense wavelength division multiplexing (DWDM)
  principle of extending native L2 services to the venues,           system. It delivers multiple wavelengths for multiple
  much like a floor of a campus, and centralizing routing            10GE LAN PHY ERS 8600 connections, as well as an
  at the VANOC Admin network data centers and points                 OC-192 backbone SONET ring (the Sea to Sky photonic
  of presence where the service-specific Layer 3 (L3)                core) to pick up traditional TDM services.
  Nortel Ethernet Routing Switch (ERS) routers are                      This Carrier Ethernet Core architecture delivers an
  located. This architecture reduces costs and operations            all-IP network in a simple and elegant manner while
  complexity.                                                        meeting the extremely high resiliency requirements of
     Each of the venues in Whistler and Vancouver is                 the Games.




                                                                                                       Nortel Technical Journal, Issue 7   3
also a requirement to offer traditional               path along the 120-kilometer Sea to            demanding bandwidth and connectiv-
TDM services to organizations that are                Sky highway and existing fiber along an         ity requirements, a dense wavelength
still using legacy CPE equipment, such                inland path. This fiber diversity ensures       division multiplexing (DWDM) system
as ISDN. To transport SONET/TDM                       that network survivability requirements        – the Nortel Common Photonic Layer
services between the four core Olympic                are met. In the event of a fiber failure on     (CPL) system – is being deployed be-
sites, Nortel’s OM 6500 will provide an               one of the routes, all network traffic will     tween the core sites. This CPL system is
OC-192 unidirectional path switched                   be rerouted to the second fiber route           designed to support Nortel’s 40G wave-
ring (UPSR), with the fiber route                      with no interruption in traffic.                lengths without any change to the opti-
consisting of a newly constructed fiber                   To effectively and efficiently meet the      cal core, in the event that such band-


    Figure 2. VANOC Admin, VoIP, and Internet network architecture

                                                                                                   VANOC data center


                     Access
                     switches




                                                Carrier Ethernet                                   VoIP network
                                                 Core network




           Nortel 1120e                   ERS 5520                 ERS 8600                        Internet (Netzone) network
           IP Phone                       Access Switch            core switch (L2)
                                           Nortel
           ERS 8600
                                           Switched                  VANOC
           router (L3)
                                           Firewall                  Admin LAN
           Nortel Application             Communication              VoIP services
           Switch                         Server 2000
                                                                     Internet (Netzone)

    The VANOC Admin, VoIP, and Internet networks all share                   suitable for an untrusted entity, and the next step of
    the same physical ERS 5520 Access Switches and use                       authentication is triggered.
    dynamically assigned virtual local area networks                             For VANOC users, when their PCs are connected to
    (VLANs) to isolate the separate services.                                the NSNA-controlled ERS 5520 switch either directly or
       Once a service is identified and transitioned to a                    behind an IP phone set, they are supplied with a “red”
    service-specific VLAN, it is extended by point-to-point                  VLAN IP address. The Nortel Health Agent (NHA) client
    or E-TREE service across the Carrier Ethernet Core                       running as a Windows system service enables sign-on to
    network to application-specific ERS 8600 centralized                     both the NSNA controller and the Windows Domain
    core routers. This allows multiple networks to be                        Controller via the NSNA proxy. The NHA client performs
    logically separated across the Layer 2 Core network                      credential and compliance checks.
       In this network architecture, the Nortel Secure                       • If the credential check is successful and the
    Network Access (NSNA) platform not only secures                          compliance check confirms, for example, that virus
    access via network admission control, but also                           scanning and personal firewall is present, the user port
    dynamically assigns end stations (such as computers or                   is transitioned to the Admin VLAN, which extends to the
    phones) to pre-provisioned application-specific VLANs                    Admin core routers as shown in the figure.
    for the VANOC Admin, VoIP, and Internet (Netzone)                        • If the credential check is successful but the
    services. Each of these services is accessed by a                        compliance check is unsuccessful, the user is
    different authentication method delivered by NSNA.                       transitioned to a “yellow” VLAN, where he or she can
       The initial step for all of these methods is identical – a            either update their files, or remain and contact the Help
    new user is placed in a “red” VLAN that has access                       Desk for intervention.




4     Nortel Technical Journal, Issue 7
width demand manifests itself. In fact,    plays a second role in the network. All     competition-critical applications (such
the entire network has been designed to    wavelengths on the system will be Next      as scoring or timing systems for the
scale in place. The Nortel CPL system      Generation Modulation (NGM), uti-           events); results, accreditation, and other
provides the ability to dynamically in-    lizing OME 6500 NGM wavelength              information services; and the main me-
crease the number of wavelengths on an     translators. The NGM will translate         dia center in Vancouver and broadcast
as-needed basis, without interruption or   both the 10 GE and OC-192 signals           center in Whistler;
impact to existing traffic.                 received from the ERS 8600 and OME          • VoIP network, which will provide up
    In addition to providing the OC192     6500 to the appropriate wavelength for      to 15,000 voice and fax lines across all
SONET ring, the Nortel OM6500              transport by the CPL system between         venues;
                                           sites.                                      • Internet network, which will support
• If the credential check is
                                               Since the core switches are spread      access to the Internet through wired
unsuccessful, the user remains in          between Vancouver and Whistler (for         connections and wireless WiFi hot
the “red” VLAN and has no                  added geographic resiliency), Nortel’s      spots; and
access to Olympic services, and            NGM optics on CPL will interconnect         • Rate Card network, which will sup-
therefore is incapable of posing a         all the sites with multiple wavelengths     port all orderable network services
security threat.
                                           over two diverse fiber pairs. The NGM        offered by VANOC and Bell to the
    For VoIP users, when a Nortel
1120e IP phone set is plugged into         optics offer several valuable attributes,   sports community, media, broadcast-
the ERS 5520 Access Switch, the            including the ability to:                   ers, and other Olympic family officials.
phone signature is detected by             • compensate dynamically for chromatic      One example of a Rate Card service is
the NSNA controller’s Dynamic              dispersion in the fiber by using Nortel’s    a transparent LAN service called Venue
Host Configuration Protocol
                                           ground-breaking electronic Dynamically      Connect.
(DHCP) server, the IP address is
returned with the VoIP VLAN ID,            Compensating Optics (eDCO) tech-
and the phone tags its traffic with        nology, providing significant savings        VANOC Admin network
that VLAN as it ingresses the              because no dispersion compensation          While the Admin network carries the
Access Switch. Alternatively,              modules are required;                       standard office business systems you
802.1x Extensible Authentication           • provide enhanced forward error cor-       would expect any IT department to
Protocol can be used as an
                                           rection (FEC), which enables greater        deliver in a large enterprise environ-
authentication method.
    For Internet (Netzone) users,          reach with zero errors; and                 ment, it also hosts a number of special-
when they open their browsers              • tune to any ITU-standard wavelength       ized management systems that allow
the Captive Portal on the NSNA             on the 50 GHz grid, allowing a single       VANOC to plan and organize the
controller presents them with a            component to be used for any wave-          Games (e.g., Rate Card order portal,
logon screen. Olympic Family
                                           length for cost savings and flexible de-     competition schedule, and logistics
users would have previously
ordered their accounts through             ployment.                                   management system).
VANOC’s Order Portal, which                    Nortel Optical Metro (OM) 3500s            The VANOC Admin network is
communicates via Web Services              will be used to add and drop traffic at      an extension of the VANOC’s existing
to Bell’s Rate Card Support                the venues, while the OME 6500s will        Campus 2010 network, and provides a
System that populates the                  provide ring aggregation at the core        number of important services delivered
Lightweight Directory Access
                                           sites. Each OM 3500 will provide a mix      over Nortel equipment, including:
Protocol (LDAP) database for
NSNA authentication. After this            of DS-1, DS-3, and OC-3/12 services,        • L2 switching – ERS 8600, ERS 5520
authentication process, VLAN               depending on service demand at the          • L3 routing – ERS 8600, Nortel Secure
assignment is made via Captive             specific venue.                              Router Series
Portal services to the Netzone                                                         • firewalls – Nortel Switched Firewall
VLAN on the ERS 5520s, which is
                                           Service networks                            NSF 6616 and 5114
then extended to the Internet
core 8600 centralized routers.             Making use of this Ethernet and Optical     • remote access – VPN Gateway 3050
These routers are then                     core network are a number of service        • wireless LAN – WLAN Security
interconnected to Internet                 networks essential to the smooth func-      Switch (WSS) 2380, WLAN Access
peering routers (also ERS                  tioning of the Games. They include:         Point (WAP) 2330-A
8600s). The client traffic is then         • VANOC Admin network, which is                The Admin network extends to 22
transported from the venues to
                                           run by VANOC over the Bell Core             fiber-connected venues. There will also
the Netzone Internet network
where it is routed, fire-walled,           network and supports a number of ap-        be a number of support sites that will
and NAT’d before being                     plications for other Olympic Games          be delivered by Bell and implemented
connected with the Internet.               partners;                                   with Nortel Secure Routers. Remote
                                           • Games network, which will support         support locations will be securely con-


                                                                                                Nortel Technical Journal, Issue 7   5
nected behind the NSFs. However, it is              exception of services that are available         as scoring or timing systems for the
not possible for all venues to provide a            from Rate Card.                                  events, as well as Core Games Systems
consistent level of physical security – for            The Admin network will share the              applications such as accreditation,
example, a parking lot will not have the            same physical ERS 5520 Access Switch             sports entries and qualifications, medi-
same level of physical security as a venue          with the VoIP and Internet networks,             cal systems, and workforce manage-
such as the Olympic Village. To further             and VLAN separation will be used to              ment. The applications running over
enhance the security posture of these               isolate the separate services (see Figure 2      the network are delivered and managed
locations, the built-in stateful firewalls           on page 35).                                     by Atos Origin, a leading international
of the Secure Routers will provide an                                                                IT services company. Atos Origin has
additional layer of security.                       Games network                                    primary responsibility for information
   The Admin network will also provide              The Games network is a large and spe-            technology at the 2010 Games, includ-
communication services for Olympic                  cialized data network that will support          ing software applications development,
partners and official suppliers, with the            competition-critical applications, such          consulting, systems integration, opera-



    Figure 3. Games network architecture




     Bell
     L2
     venue

                                SMLT                SMLT                                                     SMLT


     Games                                                                 Data
     routers                                                               center
                               RSMLT                RSMLT                                                    RSMLT



     Access
     switches

                          Competition          High-profile
                          venues               venues

                                                                                                  Nortel             Nortel
           ERS 8600                       ERS 8600                    ERS 5520
                                                                                                  Switched           Application
           core switch (L2)               core router (L3)            Access Switch               Firewall           Switch
           10GE                 GE           E/FE
    The Games network supports all the competition-                            Each pair of ERS 8600s, in turn, is connected to the
    critical applications, such as timing and scoring,                      Bell core L2 ERS 8600s in a full mesh SMLT to provide
    as well as high-profile applications, such as results and               Layer 2 (L2) resiliency. The core ERS 8600s connect to
    accreditation. Delivered and managed by international                   centrally located VANOC Admin data centers through
    IT services company Atos Origin, this network has a                     the Carrier Ethernet Core network.
    critical requirement for local survivability that lends                    The mission-critical data centers include not only
    itself to a more traditional distributed routing model.                 ERS 5520s and ERS 8600s but also Nortel Application
       In this model, each venue in the Games network is                    Switches, VPN gateways, and Nortel Switched Firewalls
    equipped with multiple ERS 5520 Access Switches and                     and other security systems running the virtual router
    dual ERS 8600 routers connected with routed split                       redundancy protocol (VRRP) for reliability and
    multi-link trunking (RSMLT) for Layer 3 (L3) resiliency.                resiliency.




6     Nortel Technical Journal, Issue 7
tions management, and information            Communication Server 2000 (CS2K)                The Internet network will share the
security.                                    call server in the Olympic network,          same physical ERS 5520 Access switch
    One of the critical applications         voice services will be delivered via host-   with the VoIP and Admin network and
running on the Games network is the          ed Centrex IP Call Manager (CICM             therefore follows a similar model where
Commentator Information System,              Centrex IP) and 1120e IP sets (see           wired users will be dynamically assigned
which displays results on touch-screen       Figure 4 on page 39).                        VLANs via NSNA admission control
PCs at the venue broadcast sites in a           The L2 Ethernet Core network              (see Figure 2 on page 35).
fraction of a second. Another appli-         extends voice VLANs in a centralized            Wireless LAN will run both at the
cation is the Games Intranet, which          routing topology from each venue back        VANOC headquarters and as a service
provides information on results, biogra-     to the Core points of presence (POPs),       at the venues and media centers. Both
phies of the athletes, press releases, and   where traffic will be aggregated, routed,     will deliver WiFi using 802.11g radios,
transportation information to accred-        fire-walled, and connected with the           which run on the 2.4 GHz open spec-
ited media and the Olympic family of         dedicated Olympic network CS2K over          trum. By using 802.11g radios, clients
athletes and IOC officials. The Games         the Nortel ERS 8600 CS-LAN envi-             can authenticate at up to 54 Mbit/s.
network also includes data feeds that        ronment. Routing between IP phone            Since the wireless client traffic will not
convey information about what is hap-        VLANs will occur at the Vancouver            be encrypted, it will be left to the client
pening during the Games to the rest of       Core POPs using the centralized rout-        to secure their traffic with a mechanism
the world.                                   ers.                                         that matches the sensitivity of their in-
    Since network outages could impact          The venue LAN will be responsible         formation being transmitted (e.g., VPN
the results of a competition, the Games      to authenticate, connect, power, and         back to their headquarters, HTTPS for
network has been designed to maximize        aggregate IP phone traffic onto an            submitting stories). User authentica-
security, performance, and availability      Ethernet trunk connection into the           tion will be performed using the captive
(see Figure 3 on page 37). The network       venue ERS switches. The venue VLANs          portal capabilities of the Nortel WLAN
design includes a main data center and       will terminate on the VoIP Core 8600         Security Switch (WSS).
a backup data center, with the latter also   Routers, which will be the first L3              In order to mitigate network conges-
functioning as a disaster recovery site.     hop (default gateway) for all of the         tion, a limited number of WiFi Access
To provide the necessary resiliency and      VoIP telephones in the venues. Routed        Points (APs) will be deployed in the
availability, the network design includes    SMLT (RSMLT) will provide a logical          designated areas. To ensure maximum
tertiary redundancy in a distributed         address per VLAN configured on the            throughput for those using the Rate
routed design. The competition sites         ERS 8600s to offer a redundant default       Card WiFi system, there will be mini-
are a spoke for both the dual hub and        gateway for the clients. The Core rout-      mum association-speed requirements
spoke data centers as well as supporting     ers will then route traffic between con-      for anyone connecting to the system.
local routing in the case of a dual WAN      nected VLANs, over links to VoIP core        802.11b will be turned off on the Rate
failure.                                     routers, or toward the CS-LAN-facing         Card WiFi network due to the limita-
    The network will be managed from         firewalls.                                    tions of running in “mixed mode.”
a technology operations center, which           The Olympic network CS2K will be             The WLAN architecture is based on
will host the main Help Desk and will        interconnected to the Bell Vancouver         a centralized security switch model that
monitor all systems and network com-         CS2Ks using both Session Initiation          controls all APs in designated areas. AP
ponents.                                     Protocol (SIP) and TDM trunking. The         controllers will be located at the Bell
    The two Games data centers and the       Vancouver CS2K tandems local traffic          POP and VANOC data centers for
main media center are built out with         destined to route to the PSTN network.       their particular applications, and each
extensive use of Nortel Load Balancers,      Direct-connect trunking will also be         controller will be capable of manag-
SSL Acceleration, Nortel Switched            implemented between the Olympic              ing over 100 APs. Multiple controllers
Firewalls, VPN gateways, and other data      CS2K and the Bell Mobility Vancouver         will cluster to work as a single mobility
center security devices.                     switch to support the Olympic five-digit      domain. Controllers will dynamically
                                             dial-plan between wireline and wireless      manage radios in a single area, allowing
VoIP network                                 users.                                       for increased feature set, security, and
The Vancouver 2010 Winter Games                                                           operational improvements.
will be the first Olympic Games               Internet network                                User authorization and authentica-
where VoIP services on a converged           The Internet network will support a          tion will be handled by the WSS captur-
network will be used – a model that          number of Netzone services available         ing an unauthenticated user’s HTTP(S)
future Games are set to follow. Using        through Bell, including wired connec-        traffic and redirecting it to the WSS
the VoIP capabilities of the Nortel          tions and wireless hot spots.                captive portal. The captive portal will


                                                                                                   Nortel Technical Journal, Issue 7   7
enable a user to present a username                    will be powered via Power over Ethernet    and services. These could include simple
and password to be authenticated for                   (PoE) from the access 5520s; the con-      items like desks and chairs, but will also
Internet access. This methodology will                 troller provides an Internet-facing port   include individual network services. The
use the same RADIUS server as the                      interconnected with the Internet core      Rate Card network will be put in place
wired Internet service using NSNA and                  routers where all client traffic will be    to support the purchase of all orderable
will provide a similar user experience.                forwarded.                                 services for sports, media, broadcast-
   The APs will be distributed at the de-                                                         ers, and other Olympic family officials,
termined venue locations using a VLAN                  Rate Card network services                 as well as to deliver the network-based
on the common venue access LAN in-                     Rate Card is an entity used by VANOC       services.
frastructure; all user traffic is tunnelled             to allow members of the Olympic fami-         One of the more important services
from the AP to the controller. The APs                 ly to purchase Olympic-related products    that will be available in Vancouver
                                                                                                  – and has not been available at previous
                                                                                                  Olympic Games – is the ability to
    Figure 4. Voice over IP (VoIP) network architecture                                           purchase Ethernet bandwidth by
                                         Olympic                                                  the slice. A primary example is L2-
                                         network                CS2K                              transparent LAN service (TLS). This
                                         CS2K                                                     service – marketed as Venue Connect
          Carrier Ethernet                                 Bell national                          (point-to-point TLS) – will be sold
          Core network                                     VoIP network             PSTN
                                                                                                  by the bandwidth required, will have
                                                                                                  multiple levels of QoS, and will honor
                                                                CS2K                              customer VLANs. This service will
                   ERS                                                                            allow subscribers to purchase network
                   5520                                                                           connectivity and set up their own
                                                                                Nortel            segregated segment on the Carrier
                                         1100 series                            Switched          Ethernet Olympic Core network, giving
      Venue A             Venue B
                                         IP phones                              Firewall
                                                                                                  them the ability to take advantage of
                                                                                SIP and           the reach and availability of the Core
                                                                                TDM trunks
                                                                                                  network at all Olympic sites and venues.
    The Voice over Internet Protocol                   of where they connect the IP phone            The user community will access these
    (VoIP) network provides IP                         (see Figure 2).                            and other Rate Card services through a
    telephony services across all the                     A dedicated Olympic network             VANOC web portal. Bell is developing
    Games venues and interworks with                   Nortel Communication Server                a Rate Card Support System (RCSS)
    the public switched telephone                      2000 (CS2K) at the Carrier                 to function as middleware between the
    network (PSTN). Vancouver will be                  Ethernet Core edge will support a
                                                                                                  web portal and Nortel network ele-
    the first Winter Games to                          wide range of voice services at two
    exclusively use VoIP for all event                 levels. A highly featured enterprise       ments. RCSS provides flow-through
    locations.                                         service set has been specifically          provisioning by directly writing to
       Voice services are accessed                     tailored for VANOC, and is already         Preside Service Provisioning and by
    using the Nortel 1100 series IP                    in use today. A more focused               populating RADIUS and Lightweight
    phones, including 1140s for                        feature set will be provided to
                                                                                                  Directory Access Protocol (LDAP) serv-
    executive and high-end services                    athletes and other short-term
    and 1120s for simple, intuitive                    members of the Olympic family.             ers. These authentication, authorization,
    telephony services. These phones                      Session Initiation Protocol (SIP)       and accounting (AAA) functions are
    connect to the Carrier Ethernet                    (for multimedia sessions and VoIP          accessed by NSNA for dynamic VLAN
    Core network via Nortel ERS 5500                   calls) and TDM trunks (for legacy          assignment for the pre-configured
    Access Switches, which provide the                 services) will connect voice traffic       VLANs on the Admin access switches.
    required Power over Ethernet for                   to fully redundant CS2Ks in the
                                                                                                  With this system, subscribers will be
    the sets, negating the need for                    Bell national VoIP network. The
    clumsy power supplies. In addition,                CS2Ks will support close to 10,000         able to purchase TLS service online,
    the ERS 5500 works with the                        IP phones, and enable telephone            and then automatically connect to it
    Nortel Secure Network                              services both within and between           from any port on the Admin network
    Architecture (NSNA) infrastructure                 the Games venues, as well as               by providing their log-in credentials. As
    to assign users to the appropriate                 telephone connectivity to the PSTN
                                                                                                  a result, the coordination of truck-rolls
    voice virtual local area network                   for direct dialled long distance or
    (VLAN) without the need for any                    calling card services.                     and specific port wiring to set up such
    real-time provisioning, regardless                                                            service is a thing of the past.



8    Nortel Technical Journal, Issue 7
                                             Java security agent. This applet runs on      expertise, enabling technologies, dedica-
Nortel Secure Network Access                 the end-station client and checks that        tion, passion, and teamwork to deliver
(NSNA)                                       all the required software components          the most technologically advanced
During the Vancouver 2010 Winter             are present. Rules can be configured to        network in the history of the Olympic
Games, tens of thousands of users            check for OS patches, the existence of        Games. Together, they will deliver
will arrive daily and request access to      personal firewalls and virus checkers,         a flawless Games experience to the
the network. Further, these users will       and many other system and configura-           Olympic family of athletes, media, of-
require access to applications from mul-     tion files. Several rule sets can be cre-      ficials, and spectators.
tiple locations, using both wired and        ated depending on the needs of the
wireless devices. This extremely fast ser-   particular user requesting admission to       Simon Edgett is Bell’s Director, Olympic
vice and user turn-up and the mobility       the network. The applet can be set to         Architecture, Technology Development.
requirements require a no-touch provi-       run persistently in the background to         Dean Frohwerk is Nortel’s Chief Network
sioning model.                               check for proper credentials and security     Architect, Vancouver 2010 Winter Games.
   In this model, Nortel’s NSNA/             compliance, or a set to run a single time     Greg Moore is Senior Sales Engineer and
802.1x will identify users, authenticate     during log-in. If the user passes, they go    a member of Nortel’s BCE Account team.
them based on a single database, and         to a “green” VLAN for connection to
apply services as per their requirements     the network. If the user does not pass
without having to make any configura-         the test, they go to the “red” VLAN and
tion changes in real time. This ability      have no access to Olympic services and
to provide dynamic VLAN assignment           therefore cannot pose a security threat.
based on user credentials presented at           Two other authentication methods
the access switch is an integral compo-      are also supported by NSNA for clients
nent in the Olympic Games network            that do not require the complexity of
design.                                      the Nortel Health Agent. The first al-
   The NSNA Olympic implementa-              lows network devices (e.g., printers) to
tion, as designed by Bell, will rely on      be authorized by Media Access Control
two authentication sources. The first         (MAC) address and transitioned to the
will be a direct LDAP connection to the      appropriate VLAN. The second method
VANOC Admin database to support              restricts users with specific access filters
single sign-on via the Nortel Health         once they have successfully passed the
Agent system tray agent on NSNA. It          credential check. In the latter case, the
will be used to authenticate VANOC           user does not leave the “red” VLAN
employees, Olympic officials, and other       but can still access the Internet or other
higher-end users. The second will be a       services.
separate LDAP database lookup, prox-             Combined, the all-IP converged ar-
ied by RADIUS, which will authenti-          chitecture and capabilities of the prod-
cate users who purchase basic Internet       ucts and applications in these service
access. This segregation of users pro-       networks and the Carrier Ethernet Core
vides additional security.                   network will provide a highly scalable
   IP Telephony users are assigned their     solution that meets the most demand-
own voice VLAN when a handset is             ing requirements for security, reliability,
connected to a NSNA-enabled port on          and availability.
the switch. This VLAN provides access            To achieve Olympic excellence,
to the Olympic network CS2K. For             Olympic and Paralympic athletes rely
a user, a single physical port will sup-     on a team of people – coaches, equip-
port a data VLAN, such as Admin or           ment manufacturers, sport physi-
Netzone, as well as a VoIP IP set. These     ologists, and the like – and employ a
two applications will authenticate to        number of performance-enhancing
separate VLANs that are dynamically          tools – such as high-tech sports equip-
instantiated on the same port. Both op-      ment, aerodynamic suits, and helmets.
erate transparently of each other.           The Olympic Games Network team is
   The client posture assessment is de-      no different. Together, Bell, VANOC,
termined by the Nortel Health Agent          and Nortel will combine their network


                                                                                                    Nortel Technical Journal, Issue 7   9