Details on CareGroup incident

• Previous message (by thread): OT (was RE: Networking in Africa...)
• Next message (by thread): FYI: ANSI Standard Proposal: A Baseline of Security Requirements for the Management Plane
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To quote Dr. Halamka:
> I hope that my approval enables [Cisco] to share more with the press
> so that everyone understands that our issues were purely architectural
> and not related to Cisco products or Cisco engineers.

So, now that I have it in writing, here's what I'll share:

The Topology

There are three campuses, each with several phyiscal sites, connected to
each other with 8 different FEC and OC3 LANE links -- all L2.  Each campus
had several core switches depending on the number of buildings, again
connected redundantly within the campus with FEC and/or OC3 LANE L2 links,
plus dozens of access switches with redundant L2 uplinks to various core
switches.  Many protocols were in use, including non-routeable protocols
like NetBEUI and SNA.

How did this mess occur?  "The CareGroup network grew organically due to the
BIDMC merger, PACS installation, East to West movement of clinical services,
Libby sale and changing CareGroup environment."  In short, the network was
growing very quickly due to business changes and was never redesigned to
cope with the much larger scale and new application requirements.  This
resulted in the previously-mentioned 10+ hop STP, which spanned across
multiple sites and multiple adminitrative zones.

CareGroup had recently gone through a network audit by a third party which
listed most/all of the potential problems in this design and suggested
solutions.  The outage occurred before CareGroup had an opportunity to act
on these recommendations.

The Outage

The trigger for the outage was the addition of a new high-bandwidth
application which somehow interfered with the proper operation of STP.  Even
after this application was removed, STP could not reconverge due to the
default 7-hop limit.

During troubleshooting, Cisco inserted L3 hops at logical boundaries,
breaking the STP into more manageable chunks.  Most of these smaller chunks
were still unstable, so Cisco removed all redundant links in each area,
verified stability, and then reintroduced redundant links one-by-one to
troubleshoot potential problems.  As you can imagine, this takes a long
time, and was done with Cisco staff on site travelling to each building and
wiring closet to make the necessary changes.

Going Forward

The new design calls for one pair of distribution L3 switches per building,
with L3 GE links in a full mesh between all distribution switches in a
campus, and between specific switches at each campus.  STP will be confined
to the access L2 switches.  All non-IP traffic will be removed or isolated.

In the meantime, CareGroup will be performing small-scare hardware and link
upgrades to improve resiliency within each campus, and will install
computers with dial-up connections to the datacenter in key locations so
that they will have minimal connectivity if another LAN event occurs.
Strict change control will be implemented with Cisco approvals.

Conclusion

As I alluded to before, this is not a story of equipment failure or STP's
inherent scaling problems.  It's a story of a business which didn't or
couldn't adapt the network to the business needs -- even though everyone saw
the train coming at them.  The lesson here isn't to review your network
design, but to review how your business handles growth and/or known
problems.

S

• Previous message (by thread): OT (was RE: Networking in Africa...)
• Next message (by thread): FYI: ANSI Standard Proposal: A Baseline of Security Requirements for the Management Plane
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]