Professional Documents
Culture Documents
FEBRUARY 2018
ABUDHABIFUTURESCHOOLPROGRAM-PHASE7
AIN AL FAYDA - NEW EXTENSION
INDEX
VOLUME No. 3 - TECHNICAL SPECIFICATIONS
PART-A
DIVISION 01
PART-B
DIVISION 02 - 07
PART-C
DIVISION 8 - 14
PART-D
DIVISION 31 - 32
PART-E
DIVISION 21 - 23
PART-F
DIVISION 26 - 28 & 33
PART-G - APPENDICES
END OF INDEX
1. ADEC : ICT Project Management Office : Responsibility Matrix for New Schools Projects :
Version 4: Dated – September 13, 2012
3. ADEC School Project : Infrastructure and Wireless Low Level Design – Version 1.6 – By Cisco
Services
4. ADEC : IP Surveillance System – CCTV Specifications for ADEC Schools – October 2013 -
Version 1.0
5. ADEC : Information & Communication Technology (ICT) Division : Abu Dhabi Schools ICT
Infrastructure : Passive Components – Design Specifications – October 2013 – Version 1.1
6. ADEC: Information & Communication Technology (ICT) Division: Abu Dhabi Schools ICT
Infrastructure: Passive Components – Data Outlet Distribution Specifications – October 2013 –
Version 1.2. (It is to be noted that data & power points number & location in this guideline is
minimum requirement and the contractor shall refer to layout drawings for exact number of
data/power points to suit furniture layout/site adaptations.)
7. ADEC : Information & Communication Technology (ICT) Division : Abu Dhabi Schools ICT
Infrastructure : Passive Components – Specifications and Installation Scope – October 2013 -
Version 3.0
8. ADEC: Information & Communication Technology (ICT) Division: Abu Dhabi Schools ICT
Infrastructure: Passive Components – Power & AC Specifications – October 2013 – Version
3.1.1
9. ADEC : Information & Communication Technology (ICT) Division : Abu Dhabi Schools ICT
Infrastructure : Passive Components – Labeling Specifications - October 2013 – Version 3.0
10. ADEC : Information & Communication Technology (ICT) Division : Abu Dhabi Schools ICT
Infrastructure : Scope of Work and Specifications for Projectors and Interactive Board Systems –
October 2013 – Version 2.2
11. ADEC : Information & Communication Technology (ICT) Division : Abu Dhabi Schools ICT
Infrastructure : Etisalat Site - Readiness Checklist
The above Abu Dhabi Education Council (ADEC) Guidelines to be read in conjunction with the
following technical specification sections – ADEC Guidelines/Specifications to take precedence
over the system specifications:
1. Division 27 – Section 27 00 00 – Telephone & Data Cabling Infrastructure
2. Division 27 – Section 27 60 00 – Closed Circuit Television (CCTV) System
3. Division 28 – Section 28 10 00 – Security Access Control System
ICT Project Management Office
1) Deliver and install based on ICT guidelines 1) Provide ICT guidelines, specifications, SLA
1) Manage tendering and procurement using
and specifications requirements and approved bidder list Musanada
2 UPS ICT specifications
2) Asset tagging 2) Participate in tender technical evaluation (4 years warranty & NBD support - parts & labor)
2) Manage delivery & installation
3) Documentation handover to ICT 3) Conduct QA on the design and installation
1) Deliver and install the items based on ICT 1) Provide ICT guidelines, SLA requirements
1) Manage tendering and procurement using guidelines and approved bidder list
Musanada
3 Public Address System ICT specifications 2) Asset tagging 2) Participate in tender technical evaluation
(4 years warranty & NBD support - parts & labor)
2) Manage delivery & installation 3) Training for end users and ICT Support 3) Conduct QA on the design and installation
4) Documentation handover to ICT 4) Network configuration (if required)
1) Provide guidelines for passive contractors 1) Deliver and install based on ICT procedures
Network - LAN (switches,
8 Site coordination for the implementation 2) Procure and manage delivery/installation 2) Asset tagging ADEC ICT
routers, wireless AP, …)
3) Conduct QA for the site readiness 3) Documentation handover to ICT
1) Provide guidelines for passive contractors 1) Deliver and install based on ICT procedures
9 WAN Connectivity Site coordination for the implementation 2) Procure and manage delivery/installation 2) Asset tagging ADEC ICT
3) Conduct QA for the site readiness 3) Documentation handover to ICT
Version 1.6
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
CISCO CONFIDENTIAL
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to
part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own
expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed
in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits
for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such
interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral
devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
Move the equipment to one side or the other of the television or radio.
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled
by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The following third-party software may be included with your product and will be subject to the software license agreement:
CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-Packard Company. HP OpenView is a trademark of the Hewlett-Packard
Company. Copyright 1992, 1993 Hewlett-Packard Company.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain
version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
Network Time Protocol (NTP). Copyright 1992, David L. Mills. The University of Delaware makes no representations about the suitability of this software for any purpose.
Point-to-Point Protocol. Copyright 1989, Carnegie-Mellon University. All rights reserved. The name of the University may not be used to endorse or promote products derived
from this software without specific prior written permission.
The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed by the University of California, Berkeley (UCB) as part of the UCB’s
public domain version of the UNIX operating system. All rights reserved. Copyright 1981-1988, Regents of the University of California.
Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products. Fastmac software is licensed to Cisco by Madge Networks Limited, and
the RingRunner chip is licensed to Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered trademarks of Madge Networks
Limited. Copyright 1995, Madge Networks Limited. All rights reserved.
Xremote is a trademark of Network Computing Devices, Inc. Copyright 1989, Network Computing Devices, Inc., Mountain View, California. NCD makes no representations
about the suitability of this software for any purpose.
The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL
FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE
OF MERCHANTABILITY, FITNESS FOR A PRACTICAL PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR
ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
AccessPath, AtmDirector, Browse with Me, CCDE, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking
Academy, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net
Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and
WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are
service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS,
the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream,
MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc.
and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0105R)
THIS DOCUMENT CONTAINS VALUABLE TRADE SECRETS AND CONFIDENTIAL INFORMATION OF CISCO SYSTEMS, INC. AND IT’S SUPPLIERS, AND SHALL
NOT BE DISCLOSED TO ANY PERSON, ORGANIZATION, OR ENTITY UNLESS SUCH DISCLOSURE IS SUBJECT TO THE PROVISIONS OF A WRITTEN NON-
DISCLOSURE AND PROPRIETARY RIGHTS AGREEMENT OR INTELLECTUAL PROPERTY LICENSE AGREEMENT APPROVED BY CISCO SYSTEMS, INC. THE
DISTRIBUTION OF THIS DOCUMENT DOES NOT GRANT ANY LICENSE IN OR RIGHTS, IN WHOLE OR IN PART, TO THE CONTENT, THE PRODUCT(S),
TECHNOLOGY OF INTELLECTUAL PROPERTY DESCRIBED HEREIN.
1. Contents 3
2. Figures 8
3. Tables 9
4. Document Information 11
4.1 Review and Distribution 11
4.2 Modification History 11
7. Network Overview 44
7.1 Network Layout 44
7.2 Design Considerations 46
3 Version 1.6
A printed copy of this document is considered uncontrolled
Contents
4 Version 1.6
A printed copy of this document is considered uncontrolled
Contents
5 Version 1.6
A printed copy of this document is considered uncontrolled
Contents
6 Version 1.6
A printed copy of this document is considered uncontrolled
Contents
7 Version 1.6
A printed copy of this document is considered uncontrolled
2. Figures
Figure 1 Sample School network 45
Figure 2 Sample Topology Diagram of the overall network 45
Figure 3 Physical Diagram of a typical school 47
Figure 4 Typical School infrastructure layout 51
Figure 5 Stack Switch Label Convention 60
Figure 6 Stack Switch Label Example 60
Figure 7 Logical Network Design 63
Figure 8 ADEC IP Address Allocation 65
Figure 9 ADEC School IP Address Allocation Scheme 66
Figure 10 Catalyst 4507R-E CoPP Mode 69
Figure 11 Option 43 Hex String 76
Figure 12 Hex String Components 77
Figure 13 ADEC Domain name 78
Figure 14 Split MAC Architecture 89
Figure 15 Disable OTAP 99
Figure 16 Disable Aggressive Load Balancing 99
Figure 17 Enable LAG Mode 99
Figure 18 Enable L3 LWAPP Mode 100
Figure 19 Disable Multicast Mode 100
Figure 20 Default Mobility Name 100
Figure 21 RF Network Name 100
8 Version 1.6
A printed copy of this document is considered uncontrolled
3. Tables
Table 1 In Scope 13
Table 2 Out of Scope 14
Table 3 Key Design Decisions 15
Table 4 Design Exceptions and Known Gaps 41
Table 5 ADEC Contacts 43
Table 6 Cisco Contacts 43
Table 7 Slot Allocation 4507R-E 49
Table 8 4507R-E to WLC Port Reservation 52
Table 9 3 Switch Stack Uplink Scheme 53
Table 10 4 Switch Stack Uplink Scheme 53
Table 11 5 Switch Stack Uplink Scheme 53
Table 12 6 Switch Stack Uplink Scheme 53
Table 13 Standalone Uplink Scheme 54
Table 14 Core Switch - Access Switch Etherchannel uplink scheme Switch 1 54
Table 15 Core Switch - Access Switch Etherchannel uplink scheme Switch 2 54
Table 16 Core Switch - Access Switch Etherchannel uplink scheme Switch 3 55
Table 17 second switch stack uplink - first stack switch Etherchannel uplink
scheme Switch 5 55
Table 18 second switch stack uplink - first stack switch Etherchannel uplink
scheme Switch 6 55
Table 19 Core Switch - WAN Router Port Reservation 55
Table 20 Core Switch – Slot 1 & 2 Port Reservations 56
Table 21 Site Type Abbreviations 57
Table 22 ERP SiteID Encoding 57
Table 23 DF Abbreviations 57
Table 24 Distribution Frame Number Encoding 58
Table 25 Device Role Abbreviation 58
Table 26 Naming Convention Examples 59
Table 27 IOS Software Image Listing 61
Table 28 VLAN Table 64
Table 29 IP Scheme for all IP Subnets 67
Table 30 Additional IP Scheme for Specific VLANs 67
Table 31 Additional IP Scheme for Management VLAN 67
Table 32 IP Scheme for Core Switch toWAN Router Link 67
Table 33 Hex String Components 77
Table 34 Hex String Example 77
Table 35 NTP Table with NTP Source and Stratum Levels. 78
Table 36 Logging Levels 83
Table 37 Restricting Access to Management Subnet 88
Table 38 Restricting Guest Access 88
Table 39 WLC Software Releases 90
Table 40 ADEC Signal Strength Req. 91
Table 41 Coverage Areas 92
Table 42 DHCP Lease Times 94
Table 43 Cisco Aironet Access Point Power Draw 95
Table 44 WLAN/SSID Roles and Security 97
Table 45 Mobility Group 101
9 Version 1.6
A printed copy of this document is considered uncontrolled
Tables
10 Version 1.6
A printed copy of this document is considered uncontrolled
4. Document Information
11 Version 1.6
A printed copy of this document is considered uncontrolled
5. Document Acceptance Certificate
Name Name
Title Title
Company Company
Signature Signature
Date Date
Name Name
Title Title
Company Company
Signature Signature
Date Date
Name Name
Title Title
Company Company
Signature Signature
Date Date
12 Version 1.6
A printed copy of this document is considered uncontrolled
6. Introduction
6.1 Preface
The objective of this document is to provide Abu Dhabi Education Council (ADEC) with a detailed
network infrastructure and Wireless LAN design.
The ADEC network consists of approximately 305 sites/schools. ADEC will interconnect all the
schools via IPCONNECT, an Etisalat service (which is a Virtual Private Network (VPN)
interconnection over the Etisalat Multiprotocol Label Switching (MPLS) backbone). It is expected that
this Low-Level Design (LLD) document will be used as a basis for implementation of the IP network
infrastructure and Wireless LAN (WLAN) across all sites of ADEC.
6.2 Audience
The primary audience of this document is the information technology team involved in the
deployment and support of the infrastructure and wireless LAN deployment.
6.3 Scope
The following section details the current scope of this document.
6.3.1 In scope
The following solution components are within the scope of the current project.
Table 1 In Scope
Scope ID Description
1 Network Infrastructure
2 Wireless LAN
13 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
Scope ID Description
1. WAN connectivity
2. Data Centre
3. QoS
4. IPT QoS
5. VoIP
6. VoWLAN
7. NAC
8. IPT Testing
9. IPT Infrastructure
10. 802.1x
11. Multicast
12. IPv6
13. Random Frame Stress Attack
14. Multicast Brute Force Attack
14 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
15 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
16 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
KDD23. WLC access shall 9.9.8 Restricting Access using Access Control Lists (ACLs) ADEC
only be provided
on the
management
VLAN.
KDD24. Access to WLC 10.8 Network Management ADEC
shall utilise tiered
access privileges
for Admin and
lobby ambassador
roles.
KDD25. WLC session 10.9.8.2 HTTP / HTTPS ADEC
timeouts shall be
30 minutes.
KDD26. Login banner shall 10.9.8.5 WLC Login Banner ADEC
be displayed for all
WLC access.
KDD27. WLC Admin role 10.8 Network Management ADEC
shall have full
privileges.
KDD28. WLC Guest role 10.8 Network Management ADEC
shall have
sufficient
privileges for users
Moves, Addition
and Changes.
KDD29. All VLAN's shall 9.4.3 IP Scheme ADEC
be provisioned
with an IP address.
KDD30. The IP Addressing 9.4 IP Addressing ADEC
schema shall
provide minimum
of 1000 schools
KDD31. Each VLAN shall 9.4 IP Addressing ADEC
be assigned /24 IP
subnet.
KDD32. The Data Centre 9.4 IP Addressing ADEC
will use the ADSIC
allocated IP range
KDD33. Each device shall 8.5 Labelling Convention ADEC
be asset tagged
with the device
hostname as per
the labelling
convention
defined within this
document
KDD34. Each VLAN shall 9.4.3 IP Scheme ADEC
reserve a block of
addresses for use
by printers.
KDD35. Wireless Guest 10.6.6.1 Data Clients ADEC
connections shall
not be encrypted.
17 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
18 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
19 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
20 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
21 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
22 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
23 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
24 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
25 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
26 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
27 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
28 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
KDD137.The native VLAN 9.6.7.3 Double Encapsulated 802.1Q Nested Attack Cisco
will not be cleared
from the list of
VLANs allowed
across the trunk
KDD138.The native VLAN 9.6.7.3 Double Encapsulated 802.1Q Nested Attack Cisco
will not be used on
Access Ports
KDD139.The native VLAN 9.6.7.3 Double Encapsulated 802.1Q Nested Attack Cisco
traffic will be
tagged as it crosses
the trunks between
the switches
KDD140.VLAN tagging will 9.6.7.3 Double Encapsulated 802.1Q Nested Attack Cisco
be configured on
the Core Switch
and Access
Switches globally
KDD141.Native VLAN 9.6.7.3 Double Encapsulated 802.1Q Nested Attack Cisco
tagging on the
trunk port
between the Core
Switch and the
WLC will be
disabled
KDD142.End user devices 9.7.1 DHCP ADEC
will receive IP
addresses via a
DHCP running on
the Core Switch in
the school site
KDD143.The DHCP relay 9.7.2 DHCP Relay Cisco
agent will not be
enabled on the
Core Switch,
switch virtual
interfaces
KDD144.The Core Switch 9.7.3 DHCP for the APs ADEC
will provide
DHCP services for
the wireless Access
Points
KDD145.The Data Centre 9.7.5 NTP ADEC
will synchronize
itself with a
reliable time
source from an
externally hosted
(non-ADEC) NTP
server
KDD146.The NTP time 9.7.5 NTP ADEC
source in the
ADEC HQ Data
Centre will have a
stratum level of 3
ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL
29 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
30 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
KDD156.LACP will be used 9.8.2.2 Etherchannel between Core Switch and Cisco
in the
Etherchannels
between the
4507R-E and the
C3850-F-S and
between C3850-F-S
and the C3850-F-S
stac Extention in
case of having
more than 4
StackWise switch
stack.
KDD157.The Etherchannel 9.8.2.3 Etherchannel between Access Switch (stack origin) Cisco
between the Core and Access Switch (Stack Extention)
Switch and the An Etherchannel will be provisioned between the
WLC will be Access Switch (Stack Origin) and Access Switch
configured in the (Stack Extention).
“on” mode
The etherchannel will consist of two x 1 Gbps links.
Note Cisco IOS software creates port-channel interfaces for Layer 2 E
configure Layer 2 Ethernet interfaces with the channel-group comm
31 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
32 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
33 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
34 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
35 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
36 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
37 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
KDD219.The WLC will be 10.9.2 WLC IP Addresses on the Dynamic VLANs Cisco
configured with IP
address on each
VLANs subnet.
KDD220.“AP-manager” is 10.9.5 WLC Interfaces Cisco
the first IP address
used for
interfacing to the
AP
KDD221.“management” is 10.9.5 WLC Interfaces Cisco
the in-band
management
interface
KDD222.“Service-port” The 10.9.5 WLC Interfaces Cisco
Service-port
interface is
reserved for out-
of-band
management of the
Wireless LAN
Controller and
system recovery
and maintenance
in the event of a
network failure.
KDD223.Virtual interface is 10.9.5 WLC Interfaces Cisco
configured
identically on all
WLAN controllers
which are part of
the same mobility
group. The virtual
interface is used
for DHCP relay,
Mobility
management and
Layer 3 security
(WEB
authentication)
features
KDD224.Access Point 8.3.1.7 Access Switch to Host Connectivity ADEC
switch ports shall
be allocated across
switches within an
Access Switch
Stack
KDD225.In the ADEC 10.1Wireless Network Design Overview Cisco
deployment,
CAPWAP will be
used for the
communication
between the
Wireless LAN
Controller and the
access points.
ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL
38 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
39 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
40 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
41 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
6.8 References
[REF-1] Cisco Product Documentation
http://www.cisco.com/univercd/cc/td/doc/product/index.htm
42 Version 1.6
A printed copy of this document is considered uncontrolled
Introduction
http://www.cisco.com/en/US/docs/switches/lan/catalyst4507R-
E/12.2/53SG/configuration/snmp.html#wp1043530
6.9.1 ADEC
Table 5 ADEC Contacts
43 Version 1.6
A printed copy of this document is considered uncontrolled
7. Network Overview
Abu Dhabi Education Council (ADEC) seeks to develop educational institutions in the Emirate of
Abu Dhabi by implementing innovative educational policies, plans and programs that aim to
improve education, and support educational institutions and staff to achieve the objectives of
national development in accordance with the highest international standards.
ADEC is in the process of implementing a network infrastructure for all the schools in the
emirate of Abu Dhabi to make them capable of accommodating the tools and applications that
will allow for more interactive and productive learning in line with ADEC’s strategic plans.
The ADEC wired and wireless network infrastructure will allow users to communicate and will
provide ADEC the platform to deliver rich services to all schools seamlessly. ADEC will use the
network to share applications such as:
ERP
ESIS
GIS
Library
SharePoint
This document covers only IP network and wireless infrastructure design.
There are approximately 300 schools for which ADEC are responsible that are to be
interconnected with the ADEC Head Quarters Data Centre. All schools will be implemented
following a single network infrastructure model. The network infrastructure in each school will
consist of:
Cisco Integrated Service Router (ISR) 2911WAN Router,
Cisco Catalyst 4507R-E as Core-Distribution Switch
Cisco Catalyst C3850-F-S Switches as Access switches
The Cisco Catalyst C3850-F-S switches can be implemented as either standalone or stacked or
daisy chain stacked in caseof having more than 4 switches in one IDF, depending on port
requirement of the school site.
Access Switch connectivity to the Core Switch, whether it is a standalone or switch within a
StackWise stack will have dual 1 Gbps uplinks to the Core-Distribution joined in an
Etherchannel.
44 Version 1.6
A printed copy of this document is considered uncontrolled
Network Overview
Access Switch connectivity to stacked wise stack switches, in case of daisy chain setup, when
more than 4 switches exist in one IDF, dual 1 Gbps uplinks to the first Stack joined in an
Etherchannel.
All the schools will be interconnected via an IPCONNECT Etisalat service, which is a Virtual
Private Network (VPN) interconnection over the Etisalat Multiprotocol Label Switching (MPLS)
backbone.
The Cisco ISR 2911 WAN Router will be installed and configured to provide WAN connectivity
as part of the Etisalat Managed Router WAN (MRWAN) service.
In addition to network infrastructure detailed above, there will be Wireless Access Points and a
Wireless LAN Controller in each school to provide wireless network coverage. The Wireless
Access Points will be connected to the Access Switches and the Wireless LAN Controller will be
connected to the Core Switch.
The hardware selected for the ADEC School Site implementation is aligned with the Cisco
Service Ready Architecture (SRA) for Schools framework [REF-13].
School services
C3850-F-S WLC5508 MS Virtual server
Etisalat
IPCONNECT
APs C3850-F-S Si
service
WAE 694 Etisalat
4507R-E router
C3850-F-S
LAB School
45 Version 1.6
A printed copy of this document is considered uncontrolled
Network Overview
1. Scalability
2. Reliability
3. Availability
4. Manageability
5. Security
6. Performance
7. Network Stability
Note When design principles above are not optimal specific notes are highlighted
46 Version 1.6
A printed copy of this document is considered uncontrolled
8. Physical Network Design
The network and wireless infrastructure for all the school site implementations will follow the
same basic physical network design. However, the number of Access Switches will vary based on
the school size. Where data port requirements for a specific school site exceeds one Access
Switch for the same Virtual Local Area Network (VLAN), addiotnal Access Switches will be
installed and configured in a StackWise stack.
Some of the benefits of having the same physical architecture at each school include:
Operational Simplicity
Ease of Provisioning
Reduced Complexity
47 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
The Cisco ISR 2911 is installed to provide network routing to the Wide Area Network (WAN).
The Cisco ISR 2911 WAN Router will connect to the ADEC Data Centre through the Etisalat
MPLS network on one side and will connect to the Core Switch in the school site network on the
other side.
The Cisco Catalyst 4507R-E will be installed as a Core-Distribution switch in the school site
network.
The Cisco Catalyst C3850-F-S will act as the Access Layer switch.
The WAN Router will connect the Core Switch to the Etisalat IP Connect Service. The WAN
Router will be part of the Etisalat network and will be designed, configured, installed and
managed by Etisalat.
The link addressing between the Core Switch and the WAN Router will be allocated from the /18
IP address range allocated to each school.
The link between the Core Switch and the WAN Router will be addressed with a /30 subnet.
The link addressing /30 will be the last /30 available in the /18 address space allocated to each
school.
The Cisco ISR 2911 WAN Router will connect to the Core Switch with a 1 Gbps connection.
The Cisco Catalyst 4507R-E was selected to meet the ADEC requirements, including those listed
below:
High speed Core Switching backbone that is capable for supporting both 1 Gigabit per
Second (Gbps) Unshielded Twisted Pair (UTP) and Fiber as well as 10 Gbps with
redundant power supply and supported by latest technologies.
The Core Switch shall support dual processing engines in the same hardware chassis for
redundancy
The Core Switch shall be modular for capability to add Local Area Network (LAN)
modules in the future
48 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
The Core Switch shall be scalable to accommodate additional Access Layer switches in
the future, without the need for hardware upgrade to the Core Switch.
The Core Switch shall be capable of supporting full redundancy by adding an additional
redundant Core Switch.
The Core Switch must be capable of supporting different kinds of LAN interfaces,
including but not limited to UTP and Multi- Mode Fiber.
The Cisco Catalyst 4507R-E line cards and Supervisor Engine will be installed into the Core Switch
as per the table below.
Slots 3 and 4 on the Cisco Catalyst 4507R-E switch are reserved for use by the Supervisor Engines.
Even if no Supervisor Engine is placed in these slots they cannot be used by line cards.
The remaining line cards can be placed in any of the remaining slots. The two WS-X4624-SFP-E
line cards will be placed in slots 1 and 2. This will provide ease of cable management and will
make it easier to add more line cards when required.
Slot Module
1 WS-X4624-SFP-E
2 WS-X4624-SFP-E
3 WS-X45-SUP6L-E
4 Not Used
5 Not Used
6 Not Used
7 Not Used
The Cisco Catalyst C3850-F-S was chosen over other variants of the C3850 family such as the
C3850-F-L and C3850-F-E for the reasons outlined below:
8.2.3.1 Cisco Catalyst C3850-F-S Power Supply and Power over Ethernet+
The Cisco Catalyst C3850-F-S will be using PWR-C1-1100WAC as its power supply. This power
supply is capable of providing 800W of power of POE to the Access Switch.
ADEC will use two different types of Access Points (APs) in their wireless network. They are the
Cisco Aironet Lightweight AP2602E (outdoor AP) and the Cisco Aironet Lightweight AP2602I
(indoor AP). Both of these APs draw 15.4W of power.
With one PWR-C1-1100WAC power supply in each switch 15.4W of power can be delivered to
all 48 ports if required.
49 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
In large schools where the physical port density within a single IDF exceeds the 48 ports
provided by a single switch, Access Switches in the ADEC network will be “stacked”.
Cisco C3850 catalyst switch used the new StackWise-480 architecture which allows you to build a high-
speed stack ring with superior features and services scalability compared with StackWise Plus. Cisco
StackWise-480 technology provides scalability and resiliency with 480 Gbps of stack throughput
The switches are physically connected sequentially. A break in any one of the cables between the
switches within a stack will result in the stack bandwidth being reduced to half of its full
capacity. Sub second timing mechanisms detect traffic problems and immediately initiate
failover. This mechanism restores dual path flow when the timing mechanisms detect renewed
activity on the cable.
Stacking provides multiple benefits some of which have been included below:
For further information regarding the Catalyst stack please see section 6.8.
8.2.3.3 StackWise
Cisco Catalyst C3850-F-S can support up to 4 switches in a Switch Stack, no more than 4 switches
will be configured in a single stack.
This is due to hardware limitation and the sharing of hardware resource such as MAC address
table size and stack bandwidth.
In ADEC school implimintation; there are some schools that have 5 or 6 switches in one IDF. In
this case the switch stack will be split into two stackes one with 4 and the other one with 1 or 2
based on the number of switch 5 or 6 respectivly. In such scenario ADEC will follow the Daisy
chain setup, by connecting the additional switches – the second stack to the first stake via the
uplink Module.
This will mean each switch has the benefit of being able to fallback to using the power in another
switch should its own power supply fail.
50 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
51 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
The above topology indicates the components which will be contained within each school. Each
school will have the following components:
Stacked
Stand alone
Stacked with Daisy chain
Stacked Switches
Each Access Switch stack with 4 stacked switches will be implemented with 2 uplink modules.
Each module has 4 ports. The modules will be installed into the switches at opposite ends of the
stack. For example, if there are three switches in the stack. The uplink modules will be installed
in the first and third switch.
The benefit of this approach is that a switch is always either directly connected to the Core Switch
or is at most two hops away, as in the case of a middle switch in a 5 switch stack.
The first port of each uplink module will be used to connect to the Core Switch. The table below
gives some example of how the uplink modules will be connected
52 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
The benefit of this approach is that a switch is always either directly connected to the Core Switch
or is at most two hops away, as in the case of having more than 4 switches In an IDF.
The first port of each uplink module on the first stack will be used to connect to the Core Switch.
The last port of each uplink module on the first stack will be used to connect to the first port of
each uplink module on the second stack.
The table below gives some example of how the uplink modules will be connected
53 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
Stand alone switches come with a single uplink module. The first two ports of the module will
be used as the uplink ports.
The tables below depict how the Access Switch uplinks will be distributed on the Core Switch.
54 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
In Daisy chain setup, Second switch stack will have two uplink configured as an Etherchannel.
On both sides the first and second stack switch the Etherchannel member ports will be
distributed over the two uplink module for redundancy purposes.
The tables below depict how the second switch stack uplinks will be distributed on the first
switch stack uplinks.
Table 17 second switch stack uplink - first stack switch Etherchannel uplink scheme Switch 5
Table 18 second switch stack uplink - first stack switch Etherchannel uplink scheme Switch 6
The table below depicts the Core Switch port reservations for the line cards in slot 1 and 2.
55 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
No spare ports will be left between the different user types. Any spare ports on an Access Switch
Stack shall be allocated at the end of the last switch in the stack.
Access Point switch ports shall be allocated across switches within an Access Switch Stack.
Using the naming convention, device administrators can identify whether the site is a school, the
site id, the distribution frame type, the distribution number, the device role and the device
iteration. Being able to determine this information by reading the hostname provides operational
benefits such as troubleshooting, device location and user provisioning.
56 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
Further details regarding the naming convention fields are detailed in the following sections.
8.4.2 SiteID
The SiteID corresponds to the ADEC ERP SiteID. The following naming convention rules apply
to the SiteID field in the naming convention.
The table below depicts how the ERP SiteID will be encoded as a SiteID in the naming
convention.
Table 22 ERP SiteID Encoding
The DF type will be represented in the naming convention using a single character.
The table below depicts the different types of distribution frame and how they are encoded in the
naming convention.
Table 23 DF Abbreviations
The following naming convention rules apply to the DF No. field in the naming convention.
57 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
The table below depicts how the actual Distribution Frame number will be encoded as a DF No.
in the naming convention.
58 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
59 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
<Switch-Hostname>-<Stack-Member-Number>
If a switch is standalone then it will be labelled with its hostname and stack member number 1.
An example of the above stack switch label convention can be found below.
s999-i02-asw001-2
The above example depicts that this switch is switch 2 in the s999-i02-asw001 stack.
Ease of troubleshooting
Ease of provisioning
Ease of changes
There are three types of interfaces which will contain an interface description. They are:
60 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
Switch Virtual Interface Descriptions will be configured to provide operational benefits such as
simplified provisioning and troubleshooting.
This selected IOS software versions are the most stable respective releases which meet all of the
ADEC feature requirements.
61 Version 1.6
A printed copy of this document is considered uncontrolled
Physical Network Design
LAN Base
IP Base
Enterprise Services
The LAN base image is primarily focused on the Access Layer and Layer 2 requirements.
The IP Base Image contains all the features found in the LAN base image as well as basic Layer 3
features such as static routing.
The Enterprise Services image supports all Cisco Catalyst 4500 Series software features based on
Cisco IOS Software such as NSF/SSO, BGP, EIGRP, EIGRPv6, OSPF, OSPFv3, IS-IS, Internetwork
Packet Exchange (IPX), AppleTalk, VRF-lite, and Policy-Based Routing (PBR).
The IP Base image will be used in the ADEC environment as the 4507R-E will be used as a Core
Switch. The LAN Base image is not appropriate as the 4507R-E will not be used as an access
layer switch. The Enterprise Services image will not be used as it contains many additional
features which are not required within the ADEC network implemetation.
The IP Base image contains all the features found in the LAN base image as well as basic Layer 3
features such as static routing.
The IP Base image contains all the features required by ADEC including SSH and will be used as
the IOS software for the Access Switches
Note The selection of the specific IOS XE version is based on Cisco deployment
recommendation, stability and field exposure.
62 Version 1.6
A printed copy of this document is considered uncontrolled
9. Logical Network Design
The network connectivity in the ADEC school site Network Infrastructure design is as follows:
1 x 1 Gbps connectivity between the Core Switch and the WAN Router
4 x 1 Gbps connectivity between Core Switch and Wireless LAN Controller
2 x 1 Gbps connectivity between the Access Switch (standalone or stack) and the Core
Switch
2 x 1 Gbps connectivity between the Access Switch (stack extention) and the Access
Switch (stack origin).
1 x 1 Gbps connectivity between each Access Point and an Access Switch
All links between the Access Switch and Core Switch will be configured as trunks for the
following reasons:
63 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
o Trunk links are required to carry multiple VLANs between the Access Switch
and the Core Switch
All links between the Access Switch (stack extention) and the Access Switch (stack origin)
will be configured as trunks for the following reasons:
Trunk links are required to carry multiple VLANs between the Access Switch (stack
extention) and Access Switch (stack origin)All links between the WLC and the Core
Switch will be configured as trunks for the following reasons:
o Trunk links are required to carry multiple VLANs between the Access Switch
and the Core Switch
All trunks will be configured as Layer 2 trunks for the following reasons:
o Layer 2 trunks will extend the broadcast domain from the Access Switch to the
Core Switch
All trunks will be configured as Etherchannels for the following reasons:
o Using Etherchannels between the Access Switch and Core Switch removes the
Layer 2 loop which would exist when using multiple trunks between the Access
Switch and Core Switch
o Using Etherchannels between the Access Switch (stack extention) and Access
Switch (stack origin) removes the Layer 2 loop which would exist when using
multiple trunks between the Access Switch (stack extention) and Access Switch
(stack origin)
The link between the Core Switch and the WAN Router is a Layer 3 link for the following
reasons:
o There is no requirement for creating a layer 2 port facing the WAN Router
o The IP addressing for the link between the WAN Router and the Core Switch is a
/30 so there is no possibility of addressing another node other than the WAN
Router and the Core Switch.
It is important to note that all schools will follow the same Logical network design. However in
the large schools some of the C3850-F-S switches will be stacked, the number of switches in the
stack and the number of stacks in a school will depend on the specific port requirement in each
IDF.
9.2 VLAN
The table below shows the VLAN scheme provided by ADEC.
64 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
All VLANs will be configured and named in the configuration. These VLANs will be created on
both the Core Switch as well as the relevant Access Switches.
Note The colour of the patch cord for the Voice VLANs will be determined by the user type i.e.
Admin, Teachers, and IT Labs.
IT Labs
Admin
Teachers
Library
Note The ADEC requirements of having multiple voice vlan will significantly increase
management and operation complexity especially on small sites without providing security
improvement.
Cisco does not recommend deploying Voice VLAN and IP telephony without a proper
Quality Of Service design.
9.4 IP Addressing
9.4.1 ADEC Address Allocation
The IP address space below will be implemented in the school sites.
10.0.0.0/8
The IP scheme for the allocation of /18 addresses to schools will be as follows:
65 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
The first eight most significant bits (first octet) in the IP scheme will always be 00001010
The next ten bits are used for assigning /18 addresses to each school. With ten bits a
maximum of 1024 x /18 address spaces can be allocated to schools.
The next six bits is used to allocate IP Addressing to each VLAN. With six bits a total of
64 x /24 address spaces can be allocated to VLANs within a school (see note regarding
WLAN subnet).
The last 8 bits (last octet) in the scheme are reserved for host use.
<00001010>.<xxxxxxxx.xx><xxxxxx>.<xxxxxxxx>
<---8 bits--->.<----10 bits----><-6 bits->.<---8 bits--->
<----------------------------32 bits---------------------------->
Note The above IP address exclusions will reduce the total number of /18 address spaces
available to schools from 1024 to 740
66 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
9.4.3 IP Scheme
In every /24 the address will be allocated as follows:
IP Scheme
IP Address Description
.1 Reserved for SVI on Core Switch
SVI acts as the default gateway for the subnet
In addition to the above reservation, the VLANs in the table below have additional addresses
reserved as per the table.
VLANs IP Scheme
IP Addresses Description
20, 21-25, 30-35, 60, 90 .2 - .20 Reserved for Network Peripherals
.21 - .250 Reserved for Hosts
In addition to the reservation in Table 29, the Management VLAN will have the following
reservations.
VLAN IP Scheme
IP Addresses Description
100 .2 Wireless LAN Controller
.3 - .250 Reserved for Network Devices
A /30 address allocation will be reserved from each /18 address space. This /30 address will be
used for the link addressing between the Core Switch and the WAN Router. The /30 address
will be the last /30 address space available in the /18. The first available IP in the /30 will be
assigned to the WAN Router and the second available IP address will be allocated to the Core
Switch.
IP Allocation IP Scheme
IP Addresses Description
10.x.x.252/30 .253 WAN Router LAN Interface
.254 Core Switch uplink Interface
Note ADEC requires a /22 subnet size to be allocated for the Wireless LAN ‘Student’ which
consumes 4 of the 64 VLANs available in the school site.
Having a large IP subnet could increase broadcast on this WLAN, it is not controlled by
Access Port Storm Control feature.
67 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
Each VLAN will have a Layer 3 VLAN interface configured on the Core Switch. The Layer 3
VLAN will act as the default gateway for all clients within the VLAN.
The Core Switch and Access Switch will both use a static default route for routing traffic. An IGP
could have been used but it would increase the complexity of the network design. The default
route on the Core Switch will point towards the WAN Router. The default route on the Access
Switches will point to the management SVI IP address configured on the Core Switch.
IP routing will be enabled on both the Core Switch and the Access Switch.
Access Ports will be protected by Port Security, ARP inspection, Storm Control and DHCP
Snooping. The following section describes the infrastructure security features that will be
implemented in the ADEC school site network infrastructure.
68 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
As soon as BAD traffic is identified, it should be added to the “BAD TRAFFIC ACL” so the BAD
policy of “drop everything” can be applied.
9.6.1.3 Rate
All punted traffic will be rate limited to protect against any Denial Of Service (DOS) attacks. The
features in use in the ADEC network use hardware based forwarding. If any transit traffic is
punted to the CPU for processing this will be rate limited. Transit traffic is only punted to the
CPU when the features are not supported in hardware. The CoPP rate for punted traffic has been
set with the premise that very little transit traffic, if any, will be punted to the CPU for
forwarding or processing.
9.6.1.4 Catalyst 4507R-E Control Plane Policing
Control plane policing will be used in the Core Switch.
CoPP on the Core Switch will be enabled using the global macro function (called system-cpp).
The system-cpp macro automatically generates and applies CoPP policies to the control-plane.
The resulting configuration uses a collection of system defined class-maps for common Layer 3
and Layer 2 control-plane traffic. The names of all system defined CoPP class maps and their
matching ACLs contain the prefix "system-cpp-". By default, no action is specified on any of the
system predefined traffic classes.
A policing action will be used in the system predefined and user defined traffic classes to protect
the CPU from being overloaded.
69 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
Additional class maps will be configured which are specific to the ADEC network to protect
against any malicious users attempting to overload the CPU.
The additional Class Maps will classify and police the following traffic. SSH, SNMP, ICMP, IP
and Fragments.
In order to take effect, these user-defined class maps need to be added to the system-cpp-policy
policy-map.
Note The class class-default is special in Modular QoS CLI (MQC) because it is always
automatically placed at the end of every policy map. Match criteria cannot be configured
for class-default because it automatically includes an implied match for all packets.
The nature of CoPP matching mechanisms, certain traffic types will always end up falling
into the default class. This includes traffic such as Layer 2 keepalives and some non-IP
traffic Because these traffic types are required to maintain the network control plane, class-
default must never be policed with both conform and exceed being set with an action of
“drop”. It is generally considered best practice never to rate-limit the class class-default.
70 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
It is important to note that Storm Control configuration will be used only on the Access Ports of
the Access Switches which connect to the physical ports assigned to data VLANs.
DHCP the protocol itself does not contain any mechanism to prevent this from happening.
The malicious client simply needs to generate uniquely identifiable packets whch can be achieved
by using random source MAC addresses and then sending a DHCPDISCOVER per forged MAC
address.
When the DHCP server receives the DHCPDISCOVER messages it allocates an IP per message.
If enough DHCPDISCOVER messages are generated the DHCP IP address pool may be
exhausted.
Once the address pool has been exhausted, any incoming DHCPDISCOVER messages from
legitimate clients it will not be serviced.
DHCP Scope Exhaustion can be prevented through the use of the Port Security feature. With the
port security feature it is possible to limit the number of MAC addresses sourced from a
particular port. If there are any additional MAC addresses learnt on that port the port is shut
down and the attack is prevented.
However, there are tools readily available which can send multiple DHCPDISCOVER messages
using a single source MAC and thus avoiding the Port Security protection mechanism.
This is done by randomizing a field in the DHCP packet called the Client Hardware Address
field and at the same time, use a single unique Ethernet source MAC address.
From the DHCP perspective each DHCPDISCOVER message which contains a unique MAC
address constitutes a single valid request.
From the switch perspective a single MAC address is learned on the user’s port.
To thwart this type of attack Cisco has developed a mechanism called DHCP Snooping. With
DHCP Snooping the switch can inspect the contents of the DHCP packet and identify normal
behaviour.
DHCP Snooping will drop any packets where the packet is received on an untrusted interface,
and the source MAC address and the DHCP client hardware address do not match.
71 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
Once the rogue DHCP server is on the LAN segment by default, it receives all the
DHCPDISCOVER messages from clients seeking to acquire an IP address.
Both the legitimate and rogue servers will receive the DHCPDISCOVER message. At this point
we have what is known as a race condition between the rogue DHCP server and the legitimate
server.
As the rouge server is usually closer in proximity to the clients it will be the one which assigns
the IP address to the client.
When a client receives multiple DHCPOFFERs messages it will use the first one it receives.
DHCP Snooping will be used to prevent these types of attacks. When DHCP is configured, hosts
are configured as untrusted. From the DHCP perspective hosts have no reason to generate
DHCPOFFER or DHCPACK messages; they are only supposed to issue DHCPDISCOVER and
DHCPREQUEST messages.
If a rogue DHCP host does generate a DHCPOFFER and DHCPACK message, the Access Switch
blocks the DHCPOFFER (and DHCPACK and DHCPNAK) messages from the attacker’s port
because the DHCPOFFER originates from an untrusted port on the Access Switch.
To protect from Wireless Rogue DHCP attacks, the WLC manages all DHCP requests from clients
and acts as a DHCP relay agent. DHCP requests from WLAN clients are not broadcasted back
out to the WLAN, and they are unicasted from the WLC to a configured DHCP server. This
protects other WLAN clients connected to the WLC from rogue DHCP server attacks.
72 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
server the Access Switch uplink ports will be configured to trust incoming
DHCP server messages from the Core Switch.
All Access Switch Access Ports connecting to clients will be untrusted ports.
o Untrusted ports are not permitted to send DHCP server messages and as
such this will protect the network from rogue DHCP servers.
DHCP Snooping will be configured only on the Access Layer as this is where all wired users will
connect.
IP Source Guard is enabled when DHCP Snooping is enabled on an untrusted interface. After IP
Source Guard is enabled on an interface, the switch blocks all IP traffic received on the interface,
except for DHCP packets allowed by DHCP Snooping. A port Access Control List (ACL) is
applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP
source binding table and denies all other traffic.
The IP source binding table has bindings that are learned by DHCP Snooping or are manually
configured (static IP source bindings). An entry in this table has an IP address, its associated
MAC address, and it’s associated VLAN number. The switch uses the IP source binding table
only when IP Source Guard is enabled.
IP Source Guard is supported only on Layer 2 ports, including Access and Trunk ports. IP Source
Guard is configured with either source IP address filtering or with source IP and MAC address
filtering.
When IP Source Guard is configured to look at both the source MAC and IP address, IP traffic is
filtered based on the source IP and MAC addresses. The switch only forwards traffic when the
source IP and MAC addresses match an entry in the IP source binding table.
When IP Source Guard with source IP and MAC address filtering are enabled, the switch filters
IP and non-IP traffic. If the source MAC address of an IP or non-IP packet matches a valid IP
source binding, the switch forwards the packet. The switch drops all other types of packets
except DHCP packets.
The switch uses Port Security to filter source MAC addresses. The interface can shut down when
a Port Security violation occurs.
When IP Source Guard with source IP and MAC address filtering is required, DHCP
Snooping and Port Security must be enabled on the interface.
Note When IP source guard is enabled in IP and MAC filtering mode (port security option
displayed above), the DHCP Snooping option 82 must be enabled on access and supported
by the DHCP server to ensure that the DHCP protocol works properly. Without option 82
data, the switch cannot locate the client host port to forward the DHCP server reply.
Instead, the DHCP server reply is dropped and the client cannot obtain an IP address
73 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
IP Source Guard will be configured on the Access Switches with source IP filtering. Filtering
using MAC address is not being used as the Port Security feature which is also being used on the
Access Ports will protect against any MAC spoofing attacks.
The Wireless LAN Controller prevents users from broadcasting gratuitous ARP messages to each
other and therefore users cannot poison each other’s ARP caches.
Note Three MAC addresses should be allowed when an IP phone is connected to the secure port.
The IP phone contains a processor connected to an internal switch. That processor uses a
MAC address when it sends traffic. When the phone boots, the IP phone attempts to
discover (using CDP) the voice and data VLAN mappings. To do so, the phone generates
frames by using its MAC in the data VLAN, which is, at this point, the only VLAN of
which the phone is aware. Therefore, the switch temporarily sees three MAC addresses on
the port.
Automatic error disable recovery mechanisms will not be enabled. Therefore if the port goes to
shutdown/err disable mode due to a violation it has to be re-enabled manually after correcting
the cause of the violation.
This will bring the violation to the attention of the network administrator.
74 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
All user-facing ports will be hard-coded as Access Ports and placed in a static VLAN. This
silently drops DTP frames at the port level with no performance impact. With DTP frames
dropped, attempts to force the port into becoming a trunk fail.
Malicious users may attempt to move from one VLAN to another (VLAN hopping) using the
concept behind the native VLAN.
The following protection mechanism will be enabled in the ADEC network to protect against
double encapsulated 802.1Q nested attacks.
The native VLAN will not be cleared from the list of VLANs allowed across the trunk.
There are several “system” protocols (CDP, STP etc) which rely on the presence of the
native VLAN to function properly, and protocol-level compatibility between switches
might no longer be guaranteed without the native VLAN
The native VLAN traffic will be tagged as it crosses the trunks between the switches.
VLAN tagging will be configured on the Core Switch and Access Switches globally
Native VLAN tagging on the trunk port between the Core Switch and the WLC will be
disabled, as the WLC does not support native VLAN tagging. If Native VLAN tagging
were to be configured on the Core Switch and not on the WLC, native VLAN mismatches
would be detected on the Core Switch. The native VLAN tagging will be disabled on the
port-channel and the configuration will be replicated to the member ports.
Additional information regarding tagging the native VLAN can be found in the section
“Enhanced VLAN Security”
ARP attacks will be mitigated using Dynamic ARP Inspection which makes use of the DHCP
Snooping binding database. Please see the Dynamic ARP inspection and DHCP snooping
sections for further information.
75 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
DHCP services will be provided by a local “server”. The local “server” will be the local Core
Switch which will be used to provide IP addresses to WLAN Access Points as well as wired and
wireless clients.
9.7.1 DHCP
End user devices such as, the PCs in the IT Lab and staff Laptops will receive IP addresses from
the DHCP service running on the Core Switch.
The school site Core Switch DHCP solution will provide client devices with the IP address of the
existing DNS servers hosted in the ADEC HQ Data Centre.
The following rules will be followed in allocating DNS server addresses to clients via DHCP:
Clients on a subnet which is an even number (e.g. 10.1.128.x) will be configured with
Primary DNS 10.254.100.22, Secondary 10.212.100.22
Clients on a subnet which is an odd number (e.g. 10.1.129.x) will be configured with
Primary DNS 10.254.100.21, Secondary 10.212.100.21
Clients on a WLAN subnet which is an even number (e.g. 10.2.192.x) will be configured
with Primary DNS 10.254.100.22, Secondary 10.212.100.22
Clients on a WLAN subnet is an odd number (e.g. 10.2.193.x) will be configured with
Primary DNS 10.254.100.21, Secondary 10.212.100.21
Note Cisco recommends using a centralized DHCP server. As ADEC currently do not have a
centralized DHCP server, the Core Switch will function as the DHCP Server as an interim
solution.
The DHCP relay agent will be configured on the Core Switch when a centralized DHCP server is
procured. The DHCP relay agent will be enabled on the Core switch, Switch Virtual Interfaces.
The Switch Virtual Interface is the first Layer 3 hop and its role is to take the broadcast DHCP
request and forward it as a unicast IP packet to the DHCP server.
Therefore, the school site Core Switch will be used to provide IP addresses to WLAN Access
Points
Cisco Aironet Access Points use the Type-Length-Value (TLV) format for DHCP option 43.
DHCP servers must be programmed to return the option based on the access point’s DHCP
Vendor Class Identifier (VCI) string (DHCP Option 60).
The HEX string provides the WLC IP address to the AP in HEX format. As this is different in
each school the HEX string must be tuned per school.
The calculation for defining the Hex string values is detailed below:
76 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
The hex string is assembled by concatenating the TLV values shown below:
The table below provides further information regarding each of the Hex string components.
For example, suppose that there are two controllers with the management interface IP addresses
listed below.
10.126.126.2
10.127.127.2.
The table below depicts the component values for the above IP addresses.
9.7.4 DNS
The domain name lookup feature available in Cisco IOS will not be enabled.
By default ‘ip domain lookup’ is enabled by default in Cisco IOS devices. The domain lookup
feature in every IOS device will be disabled.
The ‘ip domain lookup’ feature will attempt to execute a domain lookup for CLI commands
which are not Cisco IOS commands. Entering non IOS commands into the CLI can happen in
two cases.
ADEC will not use the IOS devices to perform DNS resolution and as such the ‘ip domain
lookup’ feature will be disabled.
77 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
The Infrastructure devices will be configured with the ADEC internal network domain name.
The ADEC domain name is:
adec.ae
9.7.5 NTP
Network Time Protocol (NTP) is used to synchronize the clocks of all network infrastructure and
wireless infrastructure devices across a network. The local NTP client, which runs on the device,
accepts time information from other remote time servers and adjusts its clock accordingly.
Synchronization of the clocks within a network is critical for the correct interpretation of events.
The following considerations have been made for the deployment of NTP in ADEC school sites:
Define a trusted time source and configure all devices as part of an NTP hierarchy.
ACLs will be used on the Core Switch to specify which network devices are allowed to
synchronize with which other network devices.
Note NTP server in Core and Access switches should be used for network infrastructure
componenets only. It is not recommended for stability reason to use core switch as NTP
server for all user clients (NTP polling requires CPU cycles)
9.8.1 Trunking
In the ADEC network trunk configuration exists between:
Catalyst 4507R-E Core Switch and the Catalyst C3850-F-S Access Switches.
Catalyst C3850-F-S Access Switch (Stack Origin) and C3850-F-S Access Switch (Stack
Extention).
78 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
Standard based
Less overhead
The Core Switch with the SUP6L-E supervisor does not support ISL trunking and hence it is not
required to specify dot1q trunking. This is different to the Access Switch where dot1q must be
specified.
Only required VLANs will be allowed onto the trunks. All other VLANs will be removed.
The allowed VLAN list will be enabled directly on the Etherchannel. This will ensure consistency
of VLANs allowed across the Etherchannel links.
Note The native VLAN will be allowed over the trunk. In the ADEC network VLAN 999 will be
the native VLAN.
By enabling Native VLAN tagging on the switch, egress Native VLAN traffic will be tagged and
the switch will drop untagged Native VLAN traffic on ingress.
If this option is enabled on one switch and disabled on another switch, all traffic is dropped; all
Switches must have this option configured the same on each switch.
9.8.2 Etherchannel
Etherchannels will be configured between the following devices:
Bundling the physical links into a single Etherchannel maximises the bandwidth available in the
network.
79 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
11-20 reserved for the Etherchannel between the Core Switch and Access Switch
LACP will be used in the Etherchannels as PAgP does not support cross-stack EtherChannels..
This is a limitation with the PAgP implementation in IOS.
Note Cisco IOS software creates port-channel interfaces for Layer 2 Etherchannels when you
configure Layer 2 Ethernet interfaces with the channel-group command.
9.8.2.3 Etherchannel between Access Switch (stack origin) and Access Switch
(Stack Extention)
An Etherchannel will be provisioned between the Access Switch (Stack Origin) and Access
Switch (Stack Extention).
LACP will be used in the Etherchannels as PAgP does not support cross-stack EtherChannels..
This is a limitation with the PAgP implementation in IOS.
Note Cisco IOS software creates port-channel interfaces for Layer 2 Etherchannels when you
configure Layer 2 Ethernet interfaces with the channel-group command.
This Etherchannel will be configured in the “on” mode as PAgP or LACP is not supported on the
Wireless LAN Controller.
The Etherchannel member ports will be spread over two line cards for redundancy purposes.
The Core Switch ports will be configured as 802.1Q trunk ports. When configuring trunking on
the Core Switch, only the required VLANs will be allowed on the trunk. The required VLANs
will consist of those supporting the Wireless LAN Controllers’ AP-Manager interface,
Management interface, Native VLAN and all client Wireless LANs (WLANs).
All unneeded VLANs will be pruned from the trunks. Pruning unneeded VLANs allows the
WLC to process only relevant frames, resulting in improved performance.
80 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
The etherchannel guard misconfig feature will be enabled in order to detect any mis-
configurations.
Data/Voice Port
CCTV Port
Access Point Port
All Access Ports will be configured with static mode access as well as being configured with
spanning tree portfast. If ports are not configured as static mode access and were left to negotiate
their mode, it will be possible for a user to connect to a port and negotiate a trunk mode with the
switch. This user would then have full access to the VLANs configured on that switch.
The list below provides further detail for each type of port.
The Data/Voice ports will be configured with a data VLAN and Voice VLAN.
The CCTV Access ports will be configured with a single VLAN
The Access Point ports will be configured with a single VLAN.
9.8.4 VTP
The network devices will be configured with VTP mode transparent for definitive configuration.
Configuring VTP mode as transparent will remove the possibility of a user accidentally deleting
VLANs via a miss-configuration or when provisioning new switches.
ADEC has a loop free topology, however to protect against accidental loops being created, for
instance if a loop is created at the port, STP will be configured.
81 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
In a valid configuration, PortFast Layer 2 LAN interfaces do not receive BPDUs. Reception of a
BPDU by a PortFast Layer 2 LAN interface signals an invalid configuration, such as connection of
an unauthorized device.
BPDU Guard provides a secure response to invalid configurations because the administrator
must manually put the Layer 2 LAN interface back in service.
9.8.5.4 LoopGuard
The LoopGuard feature provides additional protection against Layer 2 forwarding loops (STP
loops). An STP loop is created when an STP blocking port in a redundant topology erroneously
transitions to forwarding state. This usually happens because one of the ports of a physically
redundant topology (not necessarily the STP blocking port) stopped receiving STP BPDUs. In its
operation, STP relies on continuous reception or transmission of BPDUs, depending on the port
role (designated port transmits, root port receives BPDUs).
When one of the root ports in a physically redundant topology stops receiving BPDUs, the STP
conceives the topology as loop free. Eventually, the blocking port from the alternate or backup
port becomes designated, and moves to forwarding state, thus creating a loop.
With LoopGuard enabled, an additional check is made. If BPDUs are no longer received on a root
port and LoopGuard is enabled, that port will be moved into the STP loop-inconsistent blocking
state instead of moving to the listening / learning / forwarding state. Without LoopGuard, the
port would assume the designated port role. The port would move to STP forwarding state, and
thus create a loop.
The LoopGuard feature will be enabled on root and alternate ports for all possible combinations
of active topologies. Activating LoopGuard on root and alternate ports will be “automated” by
configuring the feature globally in which case we apply it automatically to all VLANs and all
non-designated ports.
Note UDLD needs to be enabled on both Core and Access switches.
If UDLD detects an inconsistency, the port is transitioned to ‘err-disable’ state, and manual
action is needed to re-activate the port.
Note It must be noted that extended system-id is enabled by default on Catalyst C3850-F-S
switches. As the extended system-id is enabled by default, no further action is required.
82 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
SNMPv3 and SSH will be used to manage the devices, access to the management VLAN will be
protected by an ACL.
A management Switch Virtual Interface (SVI) will be configured on each Access Switch.
The WLC and the Access Switches will contain a default gateway which will point towards the IP
address configured on the Core Switch management SVI.
9.9.3 Logging
Log Severity Levels - When logging, it is important to capture the necessary amount of
information. The granularity of detail in logging information can also be configured to one of
eight levels, as shown below:
The lower the level number, the higher the severity level. A good level of general logging for
everyday information capture is “informational”. Additional detail can be captured with the
83 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
“debug” level, but should only be used temporarily for specific situations. Debug logging levels
can become extremely processor intensive thereby impacting system performance.
The logging level will be set to capture warning and critical events. These events can be captured
by using IOS logging level 4.
With the date/time correctly set on the router, the timestamps provide the proper day/time of
the log messages. The date and time will be synchronised from the NTP server.
Sequence numbers will be enabled which indicate the sequence in which messages that have
identical time stamps were generated. Knowing the timing and sequence that messages are
generated is an important tool in diagnosing potential attacks.
A buffered value of 65536 will be used. It is possible to use a larger buffer size, however it is not
recommended as the buffer allocation comes from the system DRAM which is required for other
important functions.
Console logging may later be enabled when required, such as during a debugging or trouble-
shooting session.
84 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
CDP will be configured between devices which are managed by ADEC. CDP can simplify the
troubleshooting process and can also be used by NMS devices when discovering the network.
CDP will be permitted between the following devices only:
By default, Cisco routers support multiple TCP and UDP services to facilitate management and
integration into existing environments. For the ADEC school site implemenation services that are
not required will be disabled or access to them restricted to reduce overall security exposure.
9.9.5.5 IP Redirects
IP Redirect messages are enabled by default, and instruct an end device to use a specific router in
its path to a destination. By design, a router will send redirects only to hosts on its local subnet,
no end device will ever send a redirect, and no redirect will be sent more than one network hop
away. However, an attacker may violate these rules to launch an attack on a network. ADEC do
not require IP Redirects and such they will be disabled on all network infrastructure devices.
.
85 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
Disabling the DHCP server or relay agent on devices will mitigate a potential for Denial Of
Service (DOS) attacks.
The DHCP service on the Core Switch will be left enabled, as the Core Switch will act as a DHCP
server.
The TCP synwait time will be set to 10 seconds on the WAN router.
86 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
Local usernames and passwords will be configured on the Access Switches and Core Switch for
authenticating users.
Access via the VTY lines will be locked down to access from specific source addresses on the
NMS subnet in the ADEC Head Quarters.
9.9.7.5 Limiting Remote access to SSH
SSH will be permitted to manage the infrastructure devices.
Note When prompted for the size of the RSA key module, specify a value greater than 768 bits as
this is a requirement to use SSHv2.
Note The ADEC requirement for specifying a 5 minute timeout cannot be met as the maximum
SSH timeout value which can be specified is 120 seconds which is 2 minutes. It has
therefore been set to 120 to be as close to the requirement as possible.
With tiered access privileges the network administrators can assign a username and password
with different privileges to network support staff. User accounts with the following privileges
will be configured.
Privilege level 15
Privilege level 0
Privilege level 15 will allow the user full unrestricted access to the device. This level of access is
given to senior network administrators only.
87 Version 1.6
A printed copy of this document is considered uncontrolled
Logical Network Design
Privilege level 0 will allow the user full exec level access. No configuration changes are
permitted at exec level. At this level the user can issue show commands. This level of access is
given to network support staff.
To enforce the above policy an ACL will be configured on the Management SVI on the Core
Switch.
To enforce the above policy an ACL will be configured on the Guest SVI on the Core Switch.
A login banner will be configured on every device stating that access is restricted.
When using TCP to send keystrokes between machines, TCP tends to send one packet for each
keystroke typed, which can use up bandwidth and contribute to congestion on larger networks.
John Nagle's algorithm (RFC 896) helps alleviate the small-packet problem in TCP. The first
character typed after connection establishment is sent in a single packet, but TCP holds any
additional characters typed until the receiver acknowledges the previous packet. Then the
second, larger packet is sent, and additional typed characters are saved until the
acknowledgment comes back. The effect is to accumulate characters into larger chunks, and pace
them out to the network at a rate matching the round-trip time of the given connection.
88 Version 1.6
A printed copy of this document is considered uncontrolled
10. Wireless Infrastructure
Mobility Platform: Access Points dynamically configured and managed through Control And
Provisioning of Wireless Access Points (CAPWAP).
Network Unification: Wireless LAN Controller provides integration of the wired and wireless
network for unified network control, scalability, security and reliability.
The Access Points will utilize the Access Layer network to connect wireless clients to the ADEC
network infrastructure. The solution utilizes a centralized architecture, where the processing of
802.11 data and management protocols and Access Point capabilities is distributed between a
lightweight Access Point and a centralized Wireless LAN Controller as shown in the figure
below.
Time-sensitive activities, such as beacon handling, handshakes with clients, Media Access
Control (MAC) layer encryption, and Radio Frequency (RF) monitoring, are handled in the
Access Point. All other functions are handled in the Wireless LAN Controller, where system-
wide visibility is required. This includes 802.11 management protocol, frame translation, and
bridging functions, as well as system-wide policies for user mobility, security, QoS, and real-time
Radio Frequency (RF) management.
Communication between the Wireless LAN Controller and the lightweight Access Points is
enabled using the Control and Provisioning of Wireless Access Points protocol (CAPWAP).
CAPWAP also defines the tunneling mechanism for data traffic.
In the ADEC deployment, CAPWAP will be used for the communication between the Wireless
LAN Controller and the access points.
89 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
Cisco 5508 Wireless LAN Controller is selected because it is software license based. In the ADEC
deployment, 50 and/or 25 licenses will be deployed. The integrated WLC and Wireless LAN
Module, installed in the WAN router, both come with fixed licenses, hence are not recommended
for the ADEC school site iomplementation.
The latest software release 6.0.199.0 is selected, as it has been deployed in many enterprise
customers. Although previous software versions support the same features as the latest release,
there are bugs in the previous vesions that have been rectified in the latest release.
10.3.1 Coverage
Coverage defines the ability of wireless clients to connect to a wireless Access Point with a signal
strength and quality high enough to overcome the effects of RF interference. The edge of the
coverage area for an Access Point, data network is based on the signal strength and Signal-to-
Noise Ratio (SNR) measured as the client device moves away from the AP. The signal strength
required for good coverage will vary depending on the specific type of client devices and
90 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
applications on the network. To determine the edge of the coverage for a data network, refer to
the values listed in the table below.
A site survey will be conducted to maintain the required signal strength in the critical, normal
and lite areas; however location and installation of Access Points in the school sites will meet the
ADEC requirements for coverage and signal strength as depicted in the table below.
Coverage not required: No coverage is planned for Mosque, outdoor/playground and washroom
91 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
Library Theatre
Conference Room Science Lab
Art /Music Room
Sports Room
10.3.2 Capacity
An individual wireless Access Point has the capacity to handle 20 to 25 concurrent data client
associations. However, because a wireless LAN is a shared medium and acts as a wireless hub,
the performance of each user decreases as the number of users on an individual Access Point
increases. The user count will be taken into account during the site survey process, and
appropriate number of APs will be deployed.
Additional bandwidth in the selected areas will be provided in the future by adding APs as
required.
92 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
Channel Binding should only be done in the 5GHz frequency range since there are up to 21
channels to use. In the 2.4GHz range there are only 3 channels (1, 6 and 11), therefore, channel
binding is not feasible.
In the ADEC deployment, channel bindings will not be provisioned for 802.11g/n mode due to
the limited number of channels.
The Cisco Aironet 1140 a/g/n and Cisco Aironet 1260 a/g/n Access Points will be mounted on
the smooth ceiling or below standard suspended ceiling. Side wall mounting will be used where
ceilings are high or running a conduit through the crown moulding is not feasible. Mounting the
Access Point above the ceiling may be preferred for aesthetics or security reasons, but can cause
issues with coverage and interference. Mounting the Access Point below the suspended ceiling
provides easier physical access and visibility of the status LED’s making support easier.
The Access Points will be mounted below the suspended ceiling in the ADEC school site
implementation.
Because the Access Point is a radio device, it is susceptible to interference that can reduce
throughput and range. To ensure the best possible performance, the Access Points will be
installed in areas where metal structures such as shelving units, bookcases, filing cabinets, and
metal grid work do not block the radio signals to and from the Access Point.
The Access Point will be installed away from microwave ovens. Microwave ovens operate on the
same frequency as the Access Point and can cause signal interference.
The Access Point will be installed at least 6 to 8 feet away from any other radio antenna systems.
The energy from other radio transmitters can overpower the Access Point’s receiver and act like
noise reducing the signal-to-noise ratio.
A single Category 6 (CAT6) data cable will be run from the nearest Intermediate Distribution
Frame (IDF) to each Access Point’s location. Note that the limitation of the cable run from the
IDF to the AP is 90 meters. Structured cabling in the school site will connect to the RJ-45 auto-
sensing 10/100/1000 Mbps Ethernet port on the Access Point. During the physical installation of
the Access Point it is important to document the MAC address and physical location of all Access
Points. This information will be required when naming the Access Points after connecting them
to the Wireless LAN Controller.
93 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
Cisco lightweight APs by default obtain their IP address via DHCP. The Core Switch will service
DHCP requests and will provide the APs with an IP Address.
The WLC configuration guidelines indicate that by enabling portfast mode on the Access Switch,
it allows the Access Point to rejoin a Wireless LAN Controller approximately 30 seconds faster
after a reboot. Portfast will be enabled on the switch port.
Cisco Aironet Access Points use the Type-Length-Value (TLV) format for DHCP Option 43.
DHCP servers must be programmed to return the option based on the access point's DHCP VCI
string (DHCP option 60).
When configuring DHCP servers to offer Wireless LAN Controller IP addresses as Option 43 for
Cisco Aironet lightweight Access Points, the format of the TLV block is:
Type: 0xf1 (decimal 241)
Length: Number of controller IP addresses * 4
Value: List of WLC management interfaces (typically translated to hexadecimal values)
The Core Switch in each school site will be used as a DCHP server to provide the IP addresses to
the Access Points. The Wireless LAN Controller will be configured as a secondary DHCP server
to provide IP addresses, in the event of failure of the primary DHCP server, to wireless clients
only.
94 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
The power draw listed does not include factors such as voltage and cable resistance. These
factors have been considered when selecting a power option.
For ADEC school implementation, Cisco PoE+ Access Switches will be used to provide inline
power to the access points.
Note Once an AP obtains its IP address through DHCP, the AP will attempt to join a WLC using
pre-configured WLC information. The AP will try to communicate with the WLC and
download its configuration and firmware upgrades if available.
All the wireless users in the school will have seamless roaming except for areas where coverage is
excluded.
10.6.4 RF Planning
10.6.4.1 Radio Transmit Power and Channel Assignment
The AP radio’s Transmit Power setting significantly impacts the coverage of the AP (i.e., “cell
size”). Using higher power levels will increase the range in which clients can associate with the
Access Point. In contrast, using lower power levels will reduce both the AP cell size and
interference between cells and increase the capacity of the wireless LAN.
95 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
For 2.4 GHz networks, 3 non-overlapping channels are available. These channels represent
scarce resources that must be properly allocated and managed in order to minimize interference
and maximize performance in a multi-AP environment such as a school campus. Access Points
are usually deployed in cellular fashion within an enterprise where adjacent Access Points are
allocated non-overlapping channels.
The Wireless LAN Controller dynamically configures the radio transmit power and channel
assignments for Access Points. It will analyse the RF environment to optimize the Transmit
Power setting and minimize black hole effect based on radio resource monitoring information
reported by Access Points. Similarly, the Wireless LAN Controller’s dynamic channel
assignment capabilities are useful in minimizing co-channel interference between adjacent AP.
Because the RF environment may change over time, to maintain stability of AP RF settings,
dynamic power and channel assignment will update in 10 minute intervals. To provide this
ease of administration and flexible configuration of the RF environment, dynamic power and
dynamic channel assignment will be used at the ADEC. Dynamic power and channel
assignments, however, behave differently in various environments and will need to be tested in
each school. In addition to testing, manual tuning of RF power and channel settings may need
to be validated and optimized during the optimization exercise to achieve optimal performance.
Critical Admin areas within each school site have been defined by ADEC where sufficient AP
overlap will be provisioned to provide RF coverage in case of an AP failure.
The ADEC data security policy requires that wireless network access has Open authentication
and strong levels of standards-based encryption. ADEC will have WPA and WPA2 compliant
96 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
Staff and Student users on their wireless network. Guest users will use Captive Portal to connect
to the Intranet.
Authentication and data encryption are the key components of wireless LAN security to help
prevent unauthorized users from accessing the network and compromising confidential
information.
10.6.6.1 Data Clients
In the ADEC school site implementation, Staff and Student users will be using
username/password credentials in the Captive Portal, along with WPA/WPA2 encryption to
connect to the wireless infrastructure. Guest users will connect to the wireless infrastructure
using the Guest SSID and no encryption. Guest users will be provided with username/password
credentials via Captive Portal to only access internet.
The folowing client exclusion policies will be enabled in the ADEC implmentation.
97 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
Client Exclusion will be enabled in the WLC for all the SSIDs.
ADEC will manually contain the Access Points classified as “Rogue” using the Wireless LAN
Controller.
Access to WLC will be provided to the school Principal to create usernames and passwords for
all the wireless clients.
Access to WLC will be provided by using local username and password as per ADEC policy.
Both successful and failure user attempts will be logged by default on the WLC.
The ADEC network is a Layer 3 infrastructure with a collapsed Core/Distribution and Access
Layers. The Layer 3 infrastructure separates the Wireless LAN Controllers from the AP
connected to the Access Switches. AP-manager interface(s) are configured in the same subnet as
the management interface; separate subnets are used for the APs.
98 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
Note The WLAN controller acts as a switch where multiple VLAN’s can be configured, but inter-
VLAN connectivity is only possible via a L3 device. A Default Gateway will be configured
for each interface (except service-port).
In the event of a failure to the Primary DHCP server, the Wireless LAN Controller will be used as
a Secondary DHCP server for wireless clients only. Lease time in the WLC will be configured for
8 hours.
Note There is no need for ”ip helper-address” on the switch because the dhcp relay function of
the WLC will unicast the dhcp request to the DHCP server.
It is possible for an AP to get WLC info from another AP using OTAP (Over The Air
Provisioning). This will be disabled for security reasons.
This parameter allows a controller managing multiple neighbouring APs to load balance users
among them. This function applies per controller and requires adjacent APs to be connected to
the same WLC. In order to be activated, the following conditions should be met.:
The user should receive a good signal from at least two APs
The busiest AP should have at least “window” (pre-defined variable) users more than the
second, less busy, AP.
If these conditions are met, if both AP are associated to the same controller and Aggressive Load
Balancing is enabled, a user will be pushed to associate to the less busy AP.
Aggressive Load Balancing will be disabled to achieve consistent user experience and avoid
unnecessary roaming from one Access Point to another.
99 Version 1.6
A printed copy of this document is considered uncontrolled
Wireless Infrastructure
LAG Mode will be enabled to form an Etherchannel with the Core Switch. The Etherchannel will
provide higher bandwidth as well as redundancy between the Core Switch and the WLC.
LWAPP mode – L3
LWAPP mode will be configured for L3. The LWAPP tunnel will be formed using the WLC AP-
manager IP address.
Multicast will be “Disabled” (No multicast traffic). In ADEC school site implementation, there are
no multicast requirements on the wireless network.
The mobility group is used to define the roaming domain. “@DEC4580” will be used as Mobility
Domain Name across all ADEC school sites.
An RF network links all controllers among which roaming will be possible, using the RF
proximity coverage. If two locations are too far from each other, they could still be part of a single
mobility group, however two RF networks will be required as roaming between separate
buildings would not be possible.
“ADEC” will be used as the RF Network Name across all the schools.
Dynamic Interfaces for the SSID for the traffic leaving the controller will be added. These
interface names will typically be referred in the WLAN configuration when mapped directly the
SSID to a VLAN.
1. Staff
2. Student
3. Guest
A WLAN will be configured for each SSID. A single WLAN is configured during the initial setup.
The other SSIDs will be configured after the initial configuration wizard process.
An HTTPS web session timeout value of 30 minutes will be used on the WLC. This value cannot
be set lower than 30 minutes as this is a limitation of the WLC 5508.
Telnet will be disabled and SSH will be used for remote management.
ADEC have requested an SSH timeout of 5 minutes. The Default timeout setting on the WLC
will be set as 5 minute.
10.9.8.4 NTP
The configuration of correct time on the Wireless LAN Controller is critical for the correct
working of the wireless network.
NTP is required for the usage of X.509 certificate on the Access Point. The X.509 certificate is used
during the CAPWAP join process with the Wireless LAN Controller. The validity interval begins
at the time the X.509 certificate is provisioned on the Access Point at the factory, so it is extremely
important to keep the Wireless LAN Controller date and time accurate and current.
The timing on the Wireless LAN Controller will be set correctly via NTP servers (wireless
controller being an NTP client). The Wireless LAN Controller will use the school site Core Switch
as the NTP server.
10.9.8.5 WLC Login Banner
A login banner will be downloaded from a file using the GUI. The login banner is the text that
appears on the screen before user authentication when the Wireless LAN Controller is accessed
via the GUI or CLI using Telnet, SSH, or a console port connection.
The login banner information will be saved as a text (*.txt) file on the WLC, however the text file
cannot be larger than 1500 bytes and cannot have more than 18 lines of text.
WLC Login Banner will be used in the ADEC school site implementation.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the
Cisco Web site at www.cisco.com/go/offices.
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China • Colombia • Costa Rica • Croatia • Czech Republic Denmark • Dubai, UAE Finland •
France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico
The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Singapore • Slovakia • Slovenia South
Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
IP Surveillance System - CCTV
Specifications for ADEC Schools
October 2013
Ver 1.0
IP Surveillance System (CCTV) - Specification for ADEC Schools
Revision History
R e vi s i o n R e vi s i o n
Summary of Changes Author(s)
Number Date
Reviewers
Approvals
Page 2 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
Table of Contents
1 Introduction ............................................................................................................................... 4
1.1 About ADEC ........................................................................................................................ 4
1.2 CCTV Requirements / Specifications for ADEC Schools.................................................... 4
1.3 Definitions and abbreviations .............................................................................................. 5
1.4 Codes & Standards ............................................................................................................. 5
2 General Requirements ............................................................................................................. 6
2.1 Security Requirements for ADEC Schools / Education Institution ...................................... 6
2.1.1 Cameras: .................................................................................................................................. 6
2.1.2 Observation criteria: ................................................................................................................ 6
2.1.3 Live monitoring and control room: .......................................................................................... 6
2.1.4 Recording requirements: .......................................................................................................... 7
2.1.5 Lighting: ................................................................................................................................... 8
2.1.6 Transmission: ........................................................................................................................... 8
2.1.7 Intrusion Detection System:...................................................................................................... 9
2.1.8 CCTV Installation requirements: ............................................................................................. 9
2.1.9 Power: ...................................................................................................................................... 9
2.1.10 Maintenance ............................................................................................................................. 9
2.1.11 Documentation: ...................................................................................................................... 10
2.1.12 Training:................................................................................................................................. 10
2.1.13 Signage:.................................................................................................................................. 11
2.1.14 General CCTV Distribution locations:................................................................................... 11
2.2 Technical Requirements as per Abu Dhabi Monitoring & Control Center (MCC) ............. 14
2.2.1 General................................................................................................................................... 14
2.2.2 Technical Requirements ......................................................................................................... 14
2.3 Specifications &Scope of Services .................................................................................... 16
2.3.1 IP Surveillance camera –Indoor IP Camera .......................................................................... 18
2.3.2 IP Surveillance camera –Indoor Speed Dome(If required) .................................................... 21
2.3.3 IP Surveillance camera – [Outdoor Camera with Built-in IR]............................................... 22
2.3.4 IP Surveillance camera –Outdoor PTZ Camera (If required)................................................ 24
2.3.5 Video Surveillance Management System:............................................................................... 25
2.3.6 NVR and Storage Specifications:............................................................................................ 25
2.3.7 Storage.................................................................................................................................... 28
2.3.8 Pre-approved Manufacturers List: ......................................................................................... 29
Page 3 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
1 Introduction
1.1 About ADEC
The Abu Dhabi Education Council was set up in September 2005 by His Highness General Sheikh
Mohammed Bin Zayed Al Nahayan, Crown Prince of Abu Dhabi and Deputy Supreme Commander
of the UAE Armed Forces.
The Abu Dhabi Education Council is an independent corporate body and enjoys full legal status, as
well as financial and administrative independence in all its affairs. It has its headquarters in Abu
Dhabi and has the right to set up its branches and offices inside or outside the UAE.
ADEC seeks to develop and implement innovative educational policies, plans and programs that aim
to improve education in the Emirate of Abu Dhabi and support educational institutions and staff in a
manner that helps achieve the following objectives of national development:
Participate in the Emirate’s educational planning process within the framework of the UAE
general education policy and in coordination with the Ministry of Education
Prepare studies and proposals for the advancement of education and vocational training
and for the enhancement of all educational institutions and their staff to enable them to
remain in line with current development in all fields
Support and enhance the relationship between educational institutions and the private
sector and improve the academic and professional level of graduates, training them, and
enhancing their employment opportunities
Provide support and technical assistance to educational institutions and coordinate their
activities in a way that enables them to implement their individual educational plans
The system shall be designed, engineered, furnished, delivered, installed and tested to ensure it is
fully operating and free of engineering, installation, system operation and Original Equipment
Manufacturer (OEM) defects that provide a "turnkey" installation. The bidder must also be certified in
installing and supporting the system equipment from which they are manufactured and supplied
from. The system must have three types of recordings: motion, continuous and video analytic
recording (Only record when there are human).The system design shall enable the end-user to
monitor the CCTV Live footage anywhere in the school over the network.
All the CCTV Systems, Storage, Recorders, NVRs etc., should be kept in MDF / Cabinets on the
specified rack units.
Page 4 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
Page 5 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
2 General Requirements
2.1 Security Requirements for ADEC Schools / Education Institution
2.1.1 Cameras:
Color cameras shall be used for indoor location with guaranteed illumination of minimum 20 Lux. For
outdoor application and for indoor locations where lighting cannot be guaranteed, day/night cameras
with mechanical IR cut filter shall be used. The camera selection shall be primarily based on the
observation criteria and the lighting conditions. For Analog cameras the resolution shall be minimum
540TVL; and for digital cameras the resolution selection shall be based on the observation criteria.
WDR cameras shall be used for locations where light intensities vary greatly.
The selection of camera and lens for any location shall be based on certain observation criterion.
The observation criterions are classified into four general categories which are based on the relative
size of 1.6 meter tall person appearing on a monitor screen.
Security Control room with dedicated personnel shall be used for live monitoring of cameras; the
operators will be trained for the daily operations and event response. Control room shall be
operational on a 24 hour basis, if required. The control room shall be ergonomically designed and
shall be located in a secure area. Live monitoring shall be real time and of high resolution. The
resolution of the monitors shall exceed the highest resolution camera used. The number of monitors
in the control room will depend on the number of cameras, and the alarm integration with other
security systems. Alarm integration shall present alarms both visually and audibly to the operators.
• Alarms messages queued in the order of their arrival and processed based on priority levels in
queue.
• Automatic / Manual pop up of video and alarm on site maps within the operator Graphic User
Interface (GUI).
The latency from trigger of alarm to automated action and display shall not exceed 200ms. The
operator shall be able to manually control any alarm processing regardless of the level of
automation.
Page 6 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
Only designated people will be able to view and control live and recorded video both locally within
the facility and remotely outside the facility.
Cameras shall be recorded locally within the facility at camera's native resolution /12FPS for a period
of 90 days. The recording solution shall support any or all of the following compression standards
MJPEG/MPEG4/H.264. The recording solution shall support continuous, motion and alarm based
recording. The recording solution shall have 25% expansion capability to accommodate any future
.changes in recording quality or camera quantity
The storage calculation for recorded video shall be certified by the manufacturer and shall be
available for verification. Redundancy shall be incorporated into the recording design (Not
Mandatory and only Optional). Redundancy shall be considered at storage (Min. RAID 5 with hot
standby HDs) and at recorder level. Recorder level redundancy shall be such that failure of a
recorder shall not affect the overall recording of cameras and options such as automatic
redistribution of cameras from the failed recorder to a standby recorder or to other active recorders
shall be considered.
Data authentication method (e.g. watermarking, checksums, fingerprinting) shall be applied to image
and Meta data at the time of recording. Further the CCTV system shall provide a method to verify
the authenticity of the copied and exported data.
Recorded video shall have camera number, date/time and location stamp on the video. The recorder
shall support recorded video search based on camera number, time/date, bookmarking and alarms.
The export of user selected video to external storage medium such as CD/DVD/USB, etc. shall be
supported. Export of video shall not alter the original recording. The exported video or a single
image shall be complete with video source identifiers and time and date stamp. The playback
software to manage and control the exported video on any standard computer shall be automatically
included with the exported video. Exported video shall be in its native format with watermarking.
All security systems including CCTV, Intrusion Detection System, Access Control System, etc shall
be time synchronized. Time and Date information on the recorders shall be checked regularly for
accuracy and shall be synchronized automatically.
Page 7 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
On request from Abu Dhabi Police / Abu Dhabi Education Council (ADEC) , the contractor shall
provide video recording or still images of any camera view either as a soft or a hard copy in 6 "x 4"
format.
2.1.5 Lighting:
Well maintained balanced lighting shall be available at areas within the camera's field of view.
Following site conditions shall be the key elements that drive the selection of camera, location and
type additional illumination.
• Backlighting
The lighting in the cameras field of view shall enable the camera to give acceptable picture under all
environmental and working conditions. The maximum to minimum illumination ratio available in the
cameras field of view shall be better than 4:1. Cameras sensitivity and spectral response shall
match the lighting source spectrum. Additional lighting shall be considered where camera picture
quality is impaired due to the existing lighting conditions. The selection and positioning of visible or
non-visible lighting shall meet the safety requirements that prevent eye damage. Light source shall
be away from the camera and near to the object or area that is monitored by the camera. IR
illuminators shall be provided for locations were lighting cannot be maintained.
2.1.6 Transmission:
The bidder shall implement video transmission system based on the CCTV system designed for the
facility. IP network shall be used for CCTV application.
Page 8 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
• Shared transmission infrastructure is not recommended, unless the data security and
recommended
• Performance of the CCTV system is guaranteed, irrespective of the performance and load
of other systems on the shared network.
For Schools, the IDS may not be required since the assigned security personal would be available to
attend the alerts from the CCTV Monitoring System. In case required, they shall contact ADEC for
the necessary Requirements, which are approved by Abu Dhabi Police.
Cameras shall be installed in protective enclosures at locations and heights not easily accessible.
Enclosures shall be rated to prevent ingress of dust, dirt, moisture and the likes that could affect the
operation of the camera. Vandal proof housings shall be used for cameras installed at heights
accessible to people. Outdoor camera enclosures shall be minimum IP65 rated with sun shroud.
CCTV equipments shall be installed in lockable racks/cabinets in secure risers/rooms. Equipments
installed outdoor, shall be rated for use in extreme UAE weather conditions. Properly rated outdoor
enclosure shall be provided to house field power and transmission equipments. Outdoor enclosure
shall be designed with sun shade and suitable cooling mechanism. Camera locations shall satisfy
the recommended observation criteria defined for that camera. Selection of camera location shall
also consider factors such as lighting conditions, seasonal foliage obstructions, temporary or
permanent man made obstructions; etc. Permissions from Abu Dhabi Police or other competent
authority is required for installation of Covert/camouflaged cameras and outdoor cameras that may
potentially breach the privacy of the neighboring property.
2.1.9 Power:
CCTV equipments including cameras and Servers shall be on essential supply with an additional
UPS backup of minimum 15 minutes. 15 minutes backup is based on the condition that the
generator will start within 10 minutes of the mains failure.
For locations where the generator start up cannot be guaranteed or with no generator, a UPSwith
minimum 2 hours backup shall be provided.
Security systems shall be designed for 24/7 operation, in case of power failure, security systems
shall restart automatically on restoration of power without human interaction.
If power outlets and power supplies are required near field devices, they shall be mounted in fully
enclosed enclosures at heights not accessible to general public. External exposed wall mounted
power outlets and/or power supplies are not acceptable. Cameras lightings shall be on
generator/essential power.
2.1.10 Maintenance
Respective security system supplier shall have either trained maintenance staffs or have a formal
maintenance contract with companies specialized in security systems maintenance.
Page 9 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
The maintenance contract shall include both on-call and preventive maintenance. On call response
time shall not exceed 2 hours. A clearly defined preventive maintenance schedule shall be followed
and maintenance reports shall be maintained at all times.
Routine performance checks of the security system shall be the responsibility of the respective
school. A maintenance register shall be maintained to register all security equipment failure, with
details on date & time of failure, type of failure, action taken, date of certification, etc. All failures and
intentional stoppage of the security system shall be reported to concerned government authorities in
writing.
Maintenance report, contract and register shall be made available to concerned government
authorities on request.
• Inspection and confirmation on correct operation of all CCTV equipments including time
synchronization of various security equipment, recording and storage
• Rectification and/or reporting of site conditions that may affect the original intended performance or
purpose of the camera.
2.1.11 Documentation:
Respective contractor shall deliver the following documents on project hand over to ADEC and a
copy should be kept in the school to be made available to government authorities on request.
• Maintenance contract
• Trade license
• As Built Drawings
• Maintenance Manuals
• Operational Manuals
• List of people/offices having access to live and recorded video
• Risk assessment report
Control room shall have laminated site plan with camera icons and identification numbers.
2.1.12 Training:
Operators shall be trained for normal day to day operation of the CCTV system and for event
response. ADEC nominate technical staff, shall be formally trained on the system installed at the
facility, to perform system health check, review video recording and export it to external media
(CD/DVD/USB flash), etc. if required.
Page 10 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
2.1.13 Signage:
Advisory CCTV signage shall be erected in locations that make all people entering the facility are
aware that a CCTV system is in operation The signage shall clearly state "CCTV Cameras in
operation" in both English and Arabic with a picture/icon of a camera.
The locations, observation criteria and surveillance requirements listed below shall be covered
initially by cameras additional CCTV requirements will be based on the risk assessment of the team
based on the past experience and lessons learned..
Page 11 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
1 Student Pick up & Drop off Recognize Vehicle Number Plate, type and color of vehicle,
passenger and overview of surrounding area.
Fixed cameras
a Main entrance Identify Both entry and exit view Fixed cameras(WDR
& IR)
b Reception lobbies Recognize Fixed cameras and PTZ cameras for general
surveillance
a Access points to all school Recognize Entry & Exit view - Fixed cameras(WDR & IR)
buildings
5 Elevator Lobbies
a Elevator lobbies in BOH, FOH Recognize People entering and exiting elevators – Fixed
and Car park where entry & exit cameras
from building is possible
6 Circulation Corridor
7 Emergency Exit
a Emergency exits on all school Identify Entry or exit view based on the direction of
buildings where entry & exit emergency exit Fixed cameras(WDR & IR)
from building is possible
Page 12 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
Page 13 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
2.2 Technical Requirements as per Abu Dhabi Monitoring & Control Center
(MCC)
2.2.1 General
In order to increase the security and safety of UAE, the MCC is requesting all the Educational
Institutions and its Transport in the Emirates of Abu Dhabi to enhance their CCTV systems in order
to meet the operational and technical requirements and to integrate them with the existing systems
(If required).
This is the technical requirements provided by Monitoring and Control Center, in case if they require
the schools to be connected to them for on-demand monitoring.
The ADEC Schools shall meet all the technical requirements mentioned below while designing and
implementing the system.
2.2.2.1 Cameras/Encoders
• IP Cameras/Encoders shall be compliant with H.264 base encoding profile.
• Each camera/encoder channel must be configurable with single dedicated IP address.
• IP cameras/encoders must support security features like HTIPS and 802.1x standards.
• The encoder/ IP camera shall be able to automatically start streaming according to last
known configuration when it is restarted/reset/rebooted.
• Cameras must support resolution from CIF to 4CIF/HD.
• HD quality day/night cameras with WDR above 120db and with backlight compensation
should be required for the main areas like Main Reception/Front Desk, main Lobby, main
entrance, drop-off area, Parking entrances/Exits, Kitchen main entrance door and CCTV
monitoring room entrance.
• I-Frame rate shall be at least one I-Frame once in every 1-4 seconds.
• FPS shall be selectable from 12 - 30 frames per second to allow proper video analytics of
the stream.
• Camera/Encoder streams shall be streamed as Transport RTP/UDP.
• Cameras/Encoders/VMS must support multicast streaming and the multicast addresses
will be defined by the MCC.
• IP cameras/Encoders shall not require having a heartbeat sent to video management
system.
• IP cameras/Encoders must support stamping on the live stream with camera location ID,
date and time.
• IP cameras/Encoders shall be synchronized to GPS time (NTP or similar based).
Page 14 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
VMS must support Multicast streaming and external connection by a defined ICD (Interface
Control Document).
• VMS must allow connection to other systems through an IP based WAN or LAN.
• The VMS shall support providing a list of connected cameras to an external interface.
• The system shall support parallel REALTIME transition and transition of recorded replay.
• The VMS shall have the ability to stream in REALTIME the video of selected cameras/a
group of cameras/the whole cameras configured to VMS.
• The VMS shall have the ability to stream RECORDED channels of selected cameras/a
group of cameras/the whole cameras configured to VMS.
The system shall allow selection of the required cameras to be transmitted based on the
camera ID (Name, Identification ....)
• The system shall allow selection of the required cameras to be transmitted based on a
defined time period (from [date], [hour], [min], to from [date], [hour], [min])
• The system shall include the video metadata of the cameras in the video transmission:
1. Location
2. Time stamp
3. Other recorded information
• The Local CCTV system shall be synchronized to GPS time (NTP or similar based).
• The broadcast process shall maintain the native cameras performance in domains of
resolution, frame rate, colored / B&W).
• The VMS vendors support for at least 3 years from the system commissioning, or,
upgrading the system to the latest supported VMS version by the vendor.
• The VMS system vendor shall use a standard tool for replay of the video, or shall provide
the replay tool with its ICD.
• The Vendor/MCC shall supply the lCD, and MCC will determine whether it complies with
the OA. It if complies, MCC will approve it.
• The VMS shall support standard compression formatH.264/MPEG-4 for the broadcast
video or lossless conversion to a standard compression format.
The VMS should stream the video in real time and recorded, in a standard non encrypted
RTP/UDPprotocol.
Page 15 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
2.2.2.3 Servers
The servers must be equipped with dual processors, dual power supplies and minimum
1Gbps dual communication Uplinks to network without any single point of failure.
The servers designed must support failsafe by providing redundant/fail over servers
for recording and management.
The storage units must be equipped with dual processors/controllers, dual power supplies
and dual network uplinks to NAS/SAN switches without any single point of failure.
The recording system should be a unified NAS/SAN with minimum RAID5 or above
configured.
The School is required to record on their DVRs/NVR's and to retain these recordings for a
defined period listed by the MCC.
The hard disks required for recording must be enterprise level one with minimum 7200
rpm.
• Whenever the system dedicated cabinet for integration is opened (by means of a system
cabinet tampering switch- an HW switch that indicate whenever the cabinet is Opened or Closed)
Page 16 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
3. Supply of all specialist equipment or system specific tools required to operate and maintain
the system
4. Coordination with the respective school’s on-site personnel for the design and
implementation of the solutions
5. Project management as per the PMO Requirements
6. Training for School staff (Technical and end users)
7. Warranty and support services shall be for 3 Years
8. The bidder should note that, the CCTV Cameras should cover the Corridors, Open spaces/
Grounds / Play-areas, Auditoriums, Sports Halls, Cafeterias, any hidden areas, School
Entrances & Exits, Stairs Entry/Exits, Schools gates etc,
9. The bidder shall configure the required grid view on the school principal / Vice-principal /
security guard’s workstations and provides required trainings along with the quick reference
manuals.
10. All the Cameras should be protected from unauthorized access on the network and should
be accessible only through proper credentials. All the unnecessary services should be
stopped as per General ICTs Security Requirements on both the cameras and the related
servers.
11. As part of the Site-Survey, the bidder shall update and submit CAD diagrams with Camera
location and the respective bandwidth calculation reports.
12. The NVR Server with Internal Storage support for up to minimum of at least 20TB (Internal)
and it should be rack mountable and mounted on the respective school’s ICT specified rack
units on MDF only. No other accessories will be allowed to be kept outside without proper
mounting panels. Bidder should consider avoiding additional separate SAN Storage servers.
13. The Retention period of the CCTV footage should be 6 months in 8 - 15 fps.
The security system for ADEC Schools shall be user friendly and in harmony with the environment
of the school buildings. It is imperative that the field devices such as CCTV cameras blend with the
interior design of the building blocks. CCTV Camera Coverage is required for critical areas,
entrances, exits to monitor & secure the school building. Bidder shall evaluate with optimized count
and type of cameras based on site inspection for every school.
The buildings will require an Integrated Security System that is integrated with other third party
systems (BMS, Access Control etc) in future. The security systems design shall enable the security
of the building to be monitored within the Security Control Room and various Security Monitoring
Stations.
CCTV system shall enable continuous monitoring of dedicated areas, considered necessary for
safety and operational needs. The system must have the capability of local and remote monitoring.
All cameras must be IP based, some are day/night or Infrared type, high-resolution or better. Where
applicable, cameras shall be equipped with pan, tilt and zoom, if required. It should be easy to
configure the user interfaces with priority and restriction to access camera functions and selections.
Transmission shall be IP based and the system shall be interfaced / integrated to the main server /
streamer
Page 17 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
The intent of this section is to specify the minimum Indoor IP Camera with embedded IR.
General specifications:
A. Interior cameras installed in areas with suspended ceiling, fixed tile or dropped grid shall be
provided in tamperproof dome enclosure with a protection class of IP66 mounted in the
ceiling. Additional tile or grid supports shall be provided to assure a solid installation. The
ceiling enclosure shall be fastened by a safety wire(s) attached to a secure building
structure that will help prevent accidental or unauthorized removal.
B. External cables shall be fully enclosed in flexible protective armor, from the camera mount
and enclosure back box to wall or ceiling mounted junction boxes.
C. Interior cameras installed in areas without suspended ceilings (or where a ceiling mount
would not be appropriate) shall be mounted with ¾” rigid pipe.
D. All external cables shall be fully enclosed in flexible protective armor or electrical conduit,
from the camera mount and enclosure back box to wall or ceiling mounted junction boxes.
All cable must be run by CAT6.
E. Camera wall mount shall be securely fastened to the wall with suitable anchors that shall
support the total camera structure without causing damage to the wall surface.
1. The system shall provide high-resolution, real-time video images, encapsulated in Internet
Protocol (IP) packets and presented through a 10/100BASE-T RJ-45 Ethernet network
connections.
2. The system shall provide dual video streams where each video stream can be configured
with individual resolution, quality, and frame rate settings.
3. The system shall provide options for constant bit rate (CBR) or variable bit rate (VBR) with
ceiling.
4. The system shall be capable of detecting activity within a pre-defined area of the image and
issuing notifications as a result.
5. The system shall support the following protocols: Dynamic Host Control Protocol (DHCP),
Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), Network Time Protocol (NTP),
Real-Time Transport Protocol (RTP), Real-Time Streaming Protocol (RTSP), Simple Mail
Transfer Protocol (SMTP), Secure Sockets Layer/Transport Layer Security (SSL/TLS),
Transmission Control Protocol/Internet Protocol (TCP/IP), Secure Real-Time Transport
Protocol (SRTP), Cisco Discovery Protocol, Bonjour, Simple Network Management Protocol
(SNMP), and Secure Shell (SSH)
Page 18 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
6. The system shall also support Cisco Discovery Protocol (CDP),Bonjour Zero-Configuration
discovery or equivalent industry standard protocol.
7. The system shall provide quality of service (QoS) tagging based on IEEE 802.1p and
DiffServ standards.
8. The system is optionally preferred to support Micro SD local storage. In case of NVR failure,
the Camera shall record it in the local storage.
9. Image control features shall include Automatic white balance (AWB), automatic gain control
(AGC), automatic exposure shutter (AES) ), and auto/manual iris
10. The system shall be capable of receiving firmware upgrades over the IP network.
11. The system shall provide one (1) alarm inputs and one (1) output, logic level programmable
or any other feature satisfying this requirement shall be considered.
12. System software shall allow configuration support for:
a. user definable detection areas
b. Time, date, and camera ID overlay
c. Selection of bit rate (constant or variable)
d. IP filtering: allowed or blocked addresses
13. IE 8.x or later browser configuration
14. The camera shall be able to be configured to synchronize its internal date and time to a
designated NTP server.
15. Access to the camera through the network shall be controlled by two user levels of
protection. Each level shall have its own configurable login credentials and provide
configurable privileges, which control access to camera features.
16. The camera shall provide a monochrome night mode operation. The camera shall provide
day/night functionality through an IR filter that automatically switches to night mode in low-
light scenes. This function shall be configurable to be manual, automatic, or scheduled
control.
17. The camera shall support Power over Ethernet (PoE) 802.3af, or through an optional
external power supply.
18. The network camera shall provide a Web client interface that can be used to view live and
recorded video, review and control relays and alarms, review and acknowledge events,
configure the gateway, and configure gateway users.
19. The network camera shall provide recording up to the following frame rates and resolutions
NTSC: 1280 X 960 @15fps and 1280 X 720 @30fps OR PAL: 1280 X 920 @12.5fps and
1280 X 720 @25fps or minimum of 1280 X 800 @ 30fps, 1280 X 720@ 30fps (720p)
20. The network camera shall communicate with the Microsoft®Internet Explorer®6.0 or higher
or any other web-browsers
21. Video from the IP camera shall be compatible with Microsoft Windows®systems.
22. The network camera specified shall be an industrial grade, color, full-featured, high-speed at
least 1.3 megapixel network camera. The product is designed to meet or exceed industrial
and surveillance applications requiring a low power, low luminosity, environment resistant,
rugged video camera with IP network capability. It must be IEEE 802.3af Power-over-
Ethernet ready.
23. The network camera shall meet or exceed the following design and performance
specifications:
24. The high-resolution color camera specified shall incorporate a 1/3” or minimum 1/4” 1.3
Megapixel image sensor and a mechanical ICR varifocal lens.
25. Minimum light requirement to produce an image shall be approximately 0.06 Lux @ 10 IRE:
0.24 lux @50IRE (Color mode: F1.2 @ 0.4 lux
, Black and white mode: F1.2 @ 0.2 lux)
26. The camera shall provide an Auto Electronic Shutter (AES), 255 levels of sensitivity for
sharpness, saturation, brightness and contrast.
27. The cameras shall provide intelligent video. This includes Audio detection/Blur detection/ e-
PTZ/ Mirror/ Flip/ System log/ Snapshot/ CBR/VBR.
28. The manufacturer shall offer optional, licensable recording and playback software that
allows images to be recorded to an external server.
Page 19 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
29. Images may be stored at a fixed periodic record rate and/or when triggered by motion
and/or external input. Playback shall allow all images recorded to be viewed forward or
backward in time with the licensable recording and playback software.
30. The camera shall record images as H.264, MPEG4 or Motion JPEG.
31. The camera shall provide integrated support for TCP/IP, UDP, HTTP, FTP, DNS, DHCP,
NTP, RTP, RTSP, ICMP, uPNP or any equivalent automatic discovery protocol.
32. The camera shall be capable of displaying streaming of an image simultaneously. Video
stream shall be selectable as main stream or sub stream.
33. No unique or proprietary client software shall be required for viewing or controlling the
camera.
34. General Camera Specs:
Image system
Image sensor: 1/3”or 1/4” 1.3 MP image sensor
Effective pixels: 1280 (H) X 1024 (V) or Minimum 1280 X 800
Image Compression Method: Triple Steaming: H.264/MPEG4/Motion JPEG
Image frame rate: up to 1280 X 960 @15fps, 1280 X 720 @30fps, 1280 x 800 @ 30
fps
, 1280 x 720 @ 30 fps (720p)
37. Warranty:
Three years labor and parts
Page 20 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
o. Status Indicators
a. Power
b. Ethernet activity
In addition to the specification requirements mentioned under 2.2.1 (Indoor Camera), the indoor
speed dome shall meet the following minimum requirements;
Page 21 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
The intent of this section is to specify the minimum criteria for Outdoor IP Camera with embedded
IR.
General specifications:
A. Exterior cameras installed in areas of the school with pendant wall mount shall be provided
in tamperproof dome enclosure with a protection class of at least IP66 or more. Additional
tile or grid supports shall be provided to assure a solid installation. The ceiling enclosure
shall be fastened by a safety wire(s) attached to a secure building structure that will help
prevent accidental or unauthorized removal.
B. External cables shall be fully enclosed in flexible protective armor,
C. All external cables shall be fully enclosed in flexible protective armor or electrical conduit,
from the camera mount and enclosure back box to wall or ceiling mounted junction boxes.
All cable must be run by Ethernet CAT6.
D. Camera pendant wall mount shall be securely fastened to the wall with suitable anchors that
shall support the total camera structure without causing damage to the wall surface.
1. The network camera shall provide a Web client interface that can be used to view
live and recorded video, review and control relays and alarms, review and
acknowledge events, configure the gateway, and configure gateway users.
2. The network camera shall provide recording up to the following frame rates and
resolutions NTSC: 1920 X 1080 @15fps and 1280 X 720 @30fps or PAL: 1920 X
1080 @12.5fps and 1280 X 720 @25fps or 1920 x 1080 @ 30 fps (1080p), 1280 x
720 @ 30 fps (720p) or equivalent.
3. The network camera shall communicate with the Microsoft® Internet Explorer®6.0
or higher or any other web browser. Video from the IP camera shall be compatible
with Microsoft Windows® systems.
4. The network camera specified shall be an industrial grade, color, full-featured, high-
speed 2.0 megapixel network camera. The product is designed to meet or exceed
industrial and surveillance applications requiring a low power, low luminosity,
environment resistant, rugged video camera with IP network capability. It is IEEE
802.3af Power-over-Ethernet ready and can also be powered directly. The camera
shall include a NTSC/PAL analog public view output.
5. The network camera shall meet or exceed the following design and performance
specifications:
a. The camera should have built-in IR.
b. The infrared distance shall be min 25 meters (80 feet), preferably 30
meters, based on the IR reflective properties of objects in view.
c. The high-resolution color camera specified shall incorporate a 1/3” or at
least 1/2.7” - 2 Megapixel image sensor and a mechanical ICR varifocal
lens.
Page 22 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
Page 23 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
c. Protocols: TCP/IP, UDP, HTTP, FTP, DNS, DHCP, NTP, RTP, RTSP,
ICMP, uPNP or any equivalent automatic discovery protocol
d) Power Specification:
a. Power requirement: DC 12V & AC 24V ± 10% / POE
b. Power connector: Screw less terminal block
c. Power consumption: MAX 5W
e) Infrared specifications
a. Infrared LED x24
b. Distance minimum ~25m (82ft) object-dependent
c. Wavelength 850nm
d. LED life over 10000 hours @ 50ºC/122ºF
f) ENVIRONMENTAL SPECIFICATIONS
a. Operating temperature: -20ºC ~ 50ºC (-40ºF ~ 122ºF)
b. Operating humidity: 10~90% RH
c. Storage temperature: -20ºC ~ 60ºC (-4ºF ~ 140ºF)
g) Physical Specification
a. Protection Class : Vandal Resistant, at least IP66 or more
h) CERTIFICATIONS
a. FCC, CE, RoHS
i) Warranty: Three- years labor and parts
In addition to the specification requirements mentioned under 2.2.3 (Outdoor Camera), the outdoor
camera shall meet the following minimum requirements;
Page 24 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
The intent of this section is to specify the minimum criteria for the design, configuration, installation,
and administration of the Video Surveillance Management System and its solution modules.
The Video Surveillance Management System is a platform solution optimized for applications to
view, store, and manage real-time and recorded video in a networked environment. The system
uses an open suite of URL-based programmatic interfaces to communicate with applications. The
Video Surveillance Management System provides a highly scalable and reliable platform to enable
customized, network-based surveillance applications.
The system shall manage storage of real-time video at any specified frame rate, duration, and
physical location on the network. The system shall provide flexible archiving capability in terms of
frame rate, duration, and location and shall utilize dynamic file allocation to ensure that the full
duration of the selected video stream will be recorded, regardless of lighting condition, motion, or
scene detail. It shall support access to the archived video, to seek to any point in the archive, to set
the pre and post time, and to loop that segment of the archive. The system will allow for redundant
multi-site video storage. The system shall provide a Management Console that shows the status of
CPU, Memory, Disk Usage, and traffic analysis. The system shall provide for automated discovery
and configuration of endpoints. The system shall provide for integration with other software
applications through an open and published Application Programming Interface (API) and shall
provide integration of any 3rd party IP camera in the market. Such applications shall include, but not
be limited to, access control, video analytics, and other alarms and sensor inputs. The system
analytics shall also be customized by adding more feature based on the Schools demand in the
future.The system shall be capable of running on a single physical server or distributed across the
network, scaling to handle thousands of cameras and users. The system shall provide for or have
the capability of interoperating with the functional modules providing the capability for multiple web-
based display consoles to configure, manage, display, and control video throughout the IP network;
multiple options to store video and audio; virtual matrix switching; client PC viewing; and, remote
encoding and storage.
The Video Management System (VMS) software shall have features for viewing live and recorded
video from IP cameras and video encoders connected to the local and wide area network. The VMS
software shall have a Client-Server based architecture that can be configured for large multi-site and
multiple server installations. Multiple client workstations shall be capable of simultaneously viewing
live and/or recorded video from a single or multiple servers. Multiple servers shall also be able to
simultaneously provide live and/or recorded video to a single or multiple workstation(s).
The intent of this section is to specify the minimum criteria for the design, configuration, installation,
and administration of the NVR and its solution modules.
The Servers should be designed to meet the performance and storage requirements of enterprise
video surveillance deployments. Intel® processors, multi-NICs, and hardware with a RAID5* option
are available. Front-accessible swappable hard drive storage ensures always-on recording, and
Page 25 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
provides for future storage expandability. Enterprise-class hard drives ensure maximum reliability
and speed.
All Servers should come with the operating system and the VMS application pre-configured on the
drive, for plug-and-play operation. Servers should be scalable and must have the option to add
storage with external storage devices.
The servers must be equipped with dual processors, dual power supplies and minimum 1 Gbps dual
communication Uplinks to network without any single point of failure. The servers designed must
support failsafe by providing redundant/fail over servers for recording and management. The CPU
load of servers must not exceed an average of 70%.
features
7. Motion Detection Built-in motion detection for each camera to start recording
or to increase the recording rate of the system
8. Motion Areas Selectable detection area and sensitivity for each camera.
9. Languages English and Arabic
10. Alarm/Motion Activation Alarm input will start the unit recording or if already
recording, can increase the recording frame rate.
11. Pre-Alarm/Motion Recording records images for up to 10 seconds before the
alarm sensor is activated and/or up to 30 minutes after
Page 26 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
(optional).
12. Bandwidth Throttling Network throttling of transmitted video from 64 KB to
unlimited
13. Alarm History Log Available through a query
14. Remote Control Full remote control operation of pan, tilt, and zoom (PTZ)
functions through TCP/IP network with PC or Web client.
15.LAN/WAN Connection Software and hardware are provided for viewing and
controlling NVR over the network, including an exclusive
remote-to-server connection feature.
16. Video Quality High-quality video recording of at least 720x480; supports
NTSC or PAL video.
17. Backup A scheduled backup management system is provided to
back up data to external devices that are mapped to the
server (CD, NAS or other storage devices) without
interrupting hard disk recording. Backup can also be done
on a schedule basis according to scheduling from web
portal.
18. Hard Disk Drives 24TB storage capability or archiving on external fiber
channel connected storage arrays
19. Programming On-screen programming and operation through a keyboard
or mouse.
20. Digital Zoom Digital zoom of the image on the screen during live and
playback modes.
21. Authentication Software is provided for image verification of each image
recorded.
22. Help system Provides a built-in help system containing the information
manuals needed for faster reference by the user, at both
the server and remote client.
23. View Favorites Provides a mechanism to bookmark video events, name
them, and retrieve by name.
24. Digital Zoom Indicator Zoom functions in playback mode and provides a zoomed
indicator up to 32X, and then returns to original resolution.
25. Instant Playback Feature Provides the option of searching single or multiple cameras
on Live screen at different times within the current calendar
day (24 hour time period).
26. Video Loss Detection Video loss events are linked to alarms that can trigger a
relay and send an email notification.
27. ATM/POS COM PORT Data interface support for up to 8 ATM/POS/Card Access
Page 27 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
2.3.7 Storage
The system shall be designed with 6 months video storage with below recording parameters and
must have extremely smooth and fast write streaming performance while eliminating video frame
loss; it should have the option to eliminate all the locking latency during multiple accesses. The
video storage severs must have the ability to eliminate file system fragments and multi- stream read-
head for fast and smooth read performance and drive self-healing. Bidders must provide GUI based
monitoring tool for performance monitoring to ensure QoS.
The storage units must be equipped with dual processors/controllers, dual power supplies and dual
network uplinks to NAS/SAN switches without any single point of failure. The recording system
should be a unified NAS/SAN with minimum RAID5 or above configured. The Source is required to
record on their DVRs/NVR's all the Source channels and to retain these recordings for a defined
period. (90 Days)
The System is required to keep a detailed log file and to send alerts in the following events:
Whenever the system dedicated cabinet for integration is opened (by means of a system
cabinet tampering switch- an HW switch that indicate whenever the cabinet is Opened or
Closed)
Page 28 of 29
IP Surveillance System (CCTV) - Specification for ADEC Schools
Below is the list of manufacturers that are pre-approved for the different components of the project.
The Bidders should comply and respond only with these approved manufacturers.
Security Systems
CCTV Equipment:
o Cisco
o I3 International
o Pelco
o Bosch
o Axis
o Sony
o Samsung
o Honeywell
o Any Other US-Canada / UK / Europe Brands
Page 29 of 29
Information & Communication Technology (ICT) Division
October 2013
Version 1.1
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Guidelines
Revision History
R e vi s i o n R e vi s i o n
Summary of Changes Author(s)
Number Date
Reviewers
Approvals
Table of Contents
TABLE OF CONTENTS ................................................................................................................. 3
1 INTRODUCTION .................................................................................................................... 4
Page 3 of 11
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Specifications
1 INTRODUCTION
Page 4 of 11
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Specifications
Page 5 of 11
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Specifications
Page 6 of 11
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Specifications
Page 7 of 11
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Specifications
The Intermediate Distribution Frame (IDF) must adhere to the Specifications depicted in Figure 2 below.
Page 8 of 11
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Specifications
Page 9 of 11
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Specifications
Contractor should put in his consideration the USB cable limitation 5.4m.
ADEC also uses interactive projectors in some of it’s schools. The same practice for the
cable/cable trunks for interactive boards will be applied. “external trunking/exposed wires are not
allowed.
Page 10 of 11
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Specifications
Page 11 of 11
Information & Communication Technology (ICT) Division
October 2013
Version 1.2
Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications & scope
of work
Revision History
R e vi s i o n R e vi s i o n
Summary of Changes Author(s)
Number Date
Reviewers
Approvals
Table of Contents
TABLE OF CONTENTS ................................................................................................................. 3
1 INTRODUCTION .................................................................................................................... 4
Page 3 of 10
Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications
1 INTRODUCTION
Page 4 of 10
Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications
2 GENERAL GUIDELINES
Outlet Distribution
o At any given point the distance between IDF and network point will not be more than 90
meters. Data outlet points exceeding 90 metres will be discussed with ADEC, especially
where it effects the functionality of the area. WAP devices over 90 metres from the IDF
will be reviewed between the contractor and Cisco.
o All Security rooms within a school that are more than 90 meters from the nearest IDF
will not be cabled for data outlets& WAP. Only those within 90 metre range can be
cabled.
o The outlet distribution specifications table to be implemented based on rooms usage
and not rooms naming since some of the naming are out of date.
o The Contractor will follow the outlet distribution specifications table during the site’s
implementation. Any variance in these guidelines will have to go through a change
request process.
o The contractor will identify the locations of all network points and provide the required
details in a consolidated report “Data outlet distribution report” to ADEC for approval
before starting the implementation phase.
o The outlets distribution per room will be based on ADEC specifications shows in “Table
2” below
Page 5 of 10
Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications
Administration Space
Principal office 2 0
Vice Principal office 2 0
Secretary room 2 0
Dual data point per seat (workstation )
1 per
Teachers office 1 One single point for MFP or scanner in the
workstation
office
Teachers workshop 2 0
Control room 1 As per seating capacity
Floor box under the meeting room and
Meeting room 2 0
connected to a decorated outlets on the table.
Supervisors room 2 As per seating capacity
Staff lounge 1 1 The single point for the LCD screen
Main Reception
Circulation Desk 2 0
Time Attendance (FPR) 0 4
LCD screen 0 1
Storage Space
Store 0 0
Music equipments store 2 0
Science lab preparation room
Archive 1 0
Janitor 0 0
Page 6 of 10
Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications
WAP / CCTV
CCTV (Single) 0 1 1 single point for each POE camera
1 single point for each WAP point ( total
WAP (Single) 0 1 number will be defined by Cisco “after site
survey” )
Note : Considering the WAP's & IP-CCTV are single but in case the two points are within 1 meter of each other,
one dual outlet shall be provided
Page 7 of 10
Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications
o Staircase located in open area between classes (one CCTV in the first floor and one
CCTV in the second floor), as depicted in the below snapshot .
o Auditorium
o Sports hall
o Open ground areas (playground, assembly, football, etc...)
o Exit points
o Cafeteria/canteen
o Play ground
o Gym
Page 8 of 10
Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications
No CCTV outlets will be installed to monitor outside the school premises, and no CCTV
outlets will be installed inside any internal rooms (Classroom, Teacher’s room, toilets,
changing areas, etc).
Page 9 of 10
Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications
1. Height: The data outlet should be fitted within 1 meter of the location agreed with
ADEC. The FPR is fitted and made active by another vendor.
2. Drawings: The FPR outlet should be identified on the drawing with a unique number
e.g. FPR01, FPR02, etc. A normal single outlet symbol will do.
Time attendance machines should be located at accessible place in the reception not blocked by
furniture or any other fixtures.
NO. OF NO. OF
DUAL SINGLE
TYPE OF ROOMS REMARKS
OUTLET / OUTLET /
ROOM ROOM
Time Attendance Initial Escalati L3 Involvement
Main reception / staff entrance (Schools) Notificatio
0 on Path
4
Main reception / staff entrance (KGs) n 0 2
Access control
MDF room 0 1
Security room “CCTV monitoring room” 0 1
Science Lab preparation room “store” 0 1
Examination control room 0 1
Table 3: Time attendance & access control Guidelines
Page 10 of 10
Information & Communication Technology (ICT) Division
October 2013
Version 3.1.1
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation Specifications
Revision History
R e vi s i o n R e vi s i o n
Summary of Changes Author(s)
Number Date
Reviewers
Approvals
Page 3 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Table of Contents
TABLE OF CONTENTS ................................................................................................................. 4
1 INTRODUCTION .................................................................................................................... 5
Page 4 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
1 INTRODUCTION
Page 5 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 6 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
1. Site Floor Plan showing the schools layout, total number and placement of data points,
CCTV, Finger print, interactive boards/projectors and WAP points (to be done by Cisco).
2. MDF Rooms Layout showing the proposed location of cabinets within that room.
3. Site MDF/IDFs Physical Network Setup showing the physical layout of the cabinets,
positioning of patch panels and patch guides within the racks.
Page 7 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
4 INSTALLATION SPECIFICATIONS
The installation phase is consisting of the following general and high level steps:
Installation of MDF/IDF racks.
Installation of patch panels and patch guides
Cat6 and fibre optic cable pulling
Cat6 and fibre optic cable termination
Cat6 and fibre optic cable testing.
Labelling of MDF/IDF racks, cat6 patch panels, fibre patch panel, and patch cords
Installation of patch guides/ cable managers (Horizontal/Vertical**) for Cisco equipments.
The approved site layouts and consolidated report will serve as the baseline for any school
installation.
** Contractor should provide horizontal cable manager for the calculated number of switches.
Page 8 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 9 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Total number of UTP (Category 6) patch cords to consider is 110% for device end patch cords
and 110% for the user end patch cords (including WAP and CCTV). This to be distributed
equally among different patch cords colours.
Two run of 6 core Multimode fibre optic cable or 12 core multimode fibre optic cable will be
pulled between MDF and all IDFs to support 10-Gb in each site.
The structured cabling system will meet Category 6 requirements in ISO/IEC 11801,
CENELEC EN 50173, and TIA/EIA 568B.
Fibre Sleeves implementation shall follow standard Change Management process.
A fibre tubing will be fixed around the FO cables going into the cabinets.
A fibre tube will be fixed at the back of the vertical cable manager. This will be the route for
the fibre optic patch cords going from the fibre optic patch panel to the switches.
Page 10 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
As per ADEC specifications, passive contractor will provide different colours of patch cords.
The details of these colours are mentioned in the VLAN type table below, the table also shows
the different room types assigned to each VLAN:
Page 11 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 12 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 13 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Regardless of the number of patch panels used, the switches will always be fixed at the same
reserved place in the cabinets as follow:
o In the 42U cabinets, the reserved space for the switches resides from U 22 to U 30
and all passive components can utilize the remaining free space in the cabinet
starting from the top to the bottom.
o The below rack layout for 42U cabinets depicts the above:
Page 14 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
o In the 36U cabinets, the reserved space for the switches resides from U 16 to U 24
and all passive components can utilize the remaining free space in the cabinet
starting from the top to the bottom.
o The below rack layout for 36U cabinets depicts the above:
Page 15 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 16 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
13. Additional UTP patch panels will be installed in the remaining cabinet space beneath the space
reserved for active components (22U to 30U), with 1U cable management between patch panels
14. Maximum of three (3) UTP patch panels will be installed in the uppermost installation point in the
36U cabinet in the 32/33U position (below the Fiber patch panels and associated horizontal cable
management) and 29/30U position and the 26/27U position.
15. Additional UTP patch panels will be installed in the remaining cabinet space beneath the space
reserved for active components (16U to 24U), with 1U cable management between patch panels
16. All UTP patch panels will be 48 port panels
17. All UTP patch panels will be separated by a 1U horizontal cable manager
18. All patch panels (Fiber and UTP) will be labeled as per ADEC Passive Components Labelling
Guide [1]
19. The Core Switch (Cisco Catalyst 4507R-E) must be installed at the 6U position in the cabinet in the
MDF
20. The Optical Termination Unit (OTU) must be installed at the 39U position in the cabinet in the MDF
21. The WAN Router (Cisco ISR 2911) must be installed at the 36U/37U position in the cabinet in the MDF
22. The Wireless LAN Controller (Cisco WLC 5508) must be installed at the 34U position in the cabinet in
the MDF
23. The IP Telephony (IPT) Voice Gateway (Cisco ISR 2921) must be installed at the 31U position in the
cabinet in the MDF
24. The first Access Switch (Cisco Catalyst 3750X) must be installed at the 30U position in the 42U
cabinets in the MDF
25. The first Access Switch (Cisco Catalyst 3750X) must be installed at the 24U position in the 36U
cabinets in the IDF
26. Additional Access Switches will be installed below the first Access Switch with a 1U horizontal cable
manager between each Access Switch
27. The first Power Distribution Unit (PDU) in 42U cabinets will be installed at the 16U position in the
rear of the cabinet
28. Additional PDUs will be installed below the first PDU in the rear of the cabinet with a 1U gap
between each PDU
29. The first Power Distribution Unit (PDU) in the 36U cabinets will be installed at the 10U position in the
rear of the cabinet
30. If there is an external 3G antenna for the Cisco ISR WAN Router it will be mounted on top of the
cabinet and secured to the cabinet
31. All equipment hosted in the MDF cabinet will connect directly to devices or to patch panels installed
within the MDF cabinet. No cross cabinet patching will be installed.
32. All equipment hosted in the IDF cabinet will connect to patch panels installed within the IDF cabinet.
No cross cabinet patching will be installed.
33. 1 meter and 3 meter UTP (Category 6) patch cords will be used for patching within the cabinet and
the appropriate colour used (as defined within the ADEC School Site Low-Level Design).
Page 17 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
35. Upon completion of an installation in a cabinet, the installed equipment, power or networking
cabling or cable management, must not prevent the cabinet doors from closing correctly, and should
not present a trip hazard.
36. All cabinets in the School Site must be positioned as defined in the MDF/IDF Room Layout Guide.
37. All cabinets in the School Site must be physically stable and prevented from moving. Casters or
wheels must be set in a ‘locked’ position and cabinet feet should be adjusted so that the cabinet is
stable and unmovable.
38. All cabinets in the School Site must be physically secured. Upon completion of the installation of a
cabinet, the installed cabinet must be locked using the door lock. All keys must be handed over to
the ADEC designated School Site key holder. ADEC Security Processes to be defined.
39. All equipment must be clearly labeled as per the ADEC Passive Component Labeling Guideline.
40. Each piece of equipment installed in the cabinet must have the ADEC supplied asset tag label,
located as per the ADEC labeling specifications.
41. All cabinets in the School Site must display the appropriate signage:
Power Warning - Example 1
42. Any items (manuals etc) that need to be kept are clearly marked, and the Site Implementation
engineer has arranged for their storage or delivery to the ADSI Program team. No manuals are to be
stored in the cabinets.
Page 18 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
43. Doors removed from cabinets must be re-installed in the cabinet from which they were removed,
before the Site Implementation Engineer leaves site.
44. Disposal of rubbish (e.g. packaging) is the responsibility of the Site Implementation engineer, unless
specifically agreed with ADEC Facilities Management, in which case rubbish should be clearly marked
for disposal.
45. The work area should be tidied at the end of each working day.
46. Each Cabinet must be fully earthed with direct links from the main busbar located in the electrical
panels supplying power to the cabinets.
Page 19 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 20 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 21 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Contractor should put in his consideration the USB cable limitation 5.4m.
ADEC also uses interactive projectors in some of it’s schools. The same practice for the
cable/cable trunks for interactive boards will be applied. “external trunking/exposed wires are not
allowed.
Page 22 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 23 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
5.2 Cabling
There are two types of cabling namely the horizontal cabling that uses copper cables and the
backbone in which fibre is utilised along with the appropriate connectors.
The following are the approved cable manufacturers for ADEC:
Copper Cables
The cable used and agreed upon CAT6.
Fibre Cable
It is fully dielectric and fitted with aramid yarn for tensile strength. The tubes are filled with gel for
protection against water. Also the core of the cable is protected against water ingress by a swell
able tape. The cable also has a UV stabiliser sheath that makes it suitable for outdoor usage.
Page 24 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Empty ports in patch panels must be filled with blanking insert plugs.
5.4 Racks
The Specification of MDF and IDF racks are as follows
MDF
1. 42U (800 x 1000mm)
2. Metal perforated front & back door with key locks
3. Removable side door panels with locks
4. Vertical Cable managers
5. Wheel base
6. Cooling fans (4 for the 42U rack)
7. Load rating 600 Kg
8. Unique key feature (i.e. one key can open all cabinets)
9. Castors
10. Black Colour (RAL9004)
11. Total 6 PDUs for two Racks (4 X 16AMP for MDF rack) and (2 X 16AMP for IDF-1 rack)
12. U height labels to be fitted to all 19” angels
13. Built in stabilizing legs.
14. Earthing straps to connect front and back doors to the base of the cabinets [Subject to
approval of earthing Change Request to be submitted to ADEC]
IDF
1. 36U (800 x 800mm)
2. Metal perforated front & back door with key locks
3. Removable side door panels with locks
4. Vertical Cable managers
5. Built in stabilizing legs
6. Cooling fans (4)
7. Load rating 600 Kg
8. Unique key feature (i.e. one key can open all cabinets)
9. Black Colour (RAL9004)
Page 25 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 26 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 27 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
7 TESTING PROCESS
All Cat6 and fibre optic cables will be tested with fluke machine.
Passive contractor will provide one PDF test results file for cat6 and fibre optic cables.
All tested Cat6 cables should pass the fluke test as long as the cable length does not exceed
the 90 meter. However, in some cases the cable may exceed the 90 meter protocol in which
case it might pass the test depending on the testing parameters and cable condition.
Page 28 of 29
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
8 HANDOVER PROCESS
Upon completion of site installation, contractor will submit following handover documents to ADEC:
1. Site Passive BOQ As-Built
2. Site Passive Test Results
3. Site Data Outlet Distribution Report As Built
4. Site Floor Plan As-Built
5. MDF Rooms Layout As-Built
Page 29 of 29
Information & Communication Technology (ICT) Division
October 2013
Version 3.1.1
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
Revision History
R e vi s i o n R e vi s i o n
Summary of Changes Author(s)
Number Date
Reviewers
Approvals
Page 3 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
Table of Contents
TABLE OF CONTENTS ................................................................................................................. 4
1 INTRODUCTION .................................................................................................................... 5
Page 4 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
1 INTRODUCTION
Page 5 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
The MDF is the Main Ser ver Room in Schools. This Topology is applied to all
Schools in ADEC Domain. The MDF will have t wo main c abinets: the f irst is f or
the net work devices, and the second Mostly used to hos t the f irst IDF in the
school. In addit ion t o that, a UPS will be connected to both cabinets to distr ibut e
power to all devices via a PDU supplied from the UPS.
Following is a diagram and list of all devices with the requir ed power f or each:
Page 6 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
Networking
Page 7 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
Server
BlueCoat Systems SG800-2 AC
5 Device:
7 Device The UPS Size and Type is: 10 KVA + 2 Battery Units
Runtime: 41 minutes
(The UPS will be dedicated to the equipments in the MDF room, if other equipments will be connected
to the UPS “BMS or any none IT equipments”, power consumption should be calculated and UPS
Capacity might be increased to more than 10 KVA.)
Page 8 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
3 IDF Requirements
This is the individual Distributing Panel; it will get power From Room power Outlet.
Page 9 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
Product Percentage of Total PoE Total PoE Total PoE Total Heat Dissipation
PoE Power used Output Output Output (BTU/Hr)
Power Available Power Used Power
(W) (W) Remaining
(W)
Page 10 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
1) 1.5 Ton
2) Minimum Temperature is 16
3) Humidity control from 65 – 85
4) Water Drainage
Every IDF should have an AC vent supplying cool air from the existing building AC.
Page 11 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
Page 12 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
The selected vendor will be responsible for installing additional power sockets as per the following
requirements:
Page 13 of 13
Information & Communication Technology (ICT) Division
October 2013
Version 3.0
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
Revision History
R e vi s i o n R e vi s i o n
Summary of Changes Author(s)
Number Date
Reviewers
Approvals
Table of Contents
TABLE OF CONTENTS ................................................................................................................. 3
1 INTRODUCTION .................................................................................................................... 4
2 NAMING CONVENTION......................................................................................................... 5
Page 3 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
1 INTRODUCTION
The purpose of this document is to provide the labelling specifications which the Passive
Contractor(s) will use during the implementation for all the ADEC sites. Labelling scheme has to be
approved by ADEC before the implementation phase. All label printing will be created using a label
machine [black on white, self laminating labels]. All labelling information will be recorded on the
final site layouts.
Page 4 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
2 NAMING CONVENTION
Below is the list of abbreviations that will be used.
2.1 Site Type
The site designator indicates the type of site. The table below depicts the types of sites which
exist in the ADEC network:
2.2 Site ID
The site ID corresponds to the ADEC ERP site ID. The following naming conversion rules
apply to the site ID field in the naming convention:
o The site ID will consist of three digits
o If the ERP site ID is less than three digits then leading zero will be added to the ERP
site ID to remain consistent with the three digit rule.
The table below depicts how the ERP site ID will be encoded as a site ID in the naming
convention:
Page 5 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
Item Abbreviation
Core Switch csw
Access Switch asw
Router Rtr
Fiber panel fpp
UPS ups
WAN Optimization (WAAS) wop
Monitor mon
Server srv
WLC wlc
Item Abbreviation
Wireless Access Point W
IP CCTV C
Page 6 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
3 LABELLING SPECIFICATIONS
Each user side outlet shall be labelled on the space provided on the faceplate and the size of
the labelling will be the same as available in the 3M faceplate model.
The “dual port” face plate label for the normal data/voice outlet will consist of 4 fields:
o The DF type
o DF No. (for Intermediate Distribution Frame only)
o The cat6 patch panel port ID (first port)
o The cat6 patch panel port ID (second port)
The “single port” face plate label for the wireless access point and CCTV outlet will consist of
3 fields:
o The DF type
o DF No. (for Intermediate Distribution Frame only)
o The cat6 patch panel port ID (dedicated patch panel for WAP & CCTV)
Inactive data outlets will have the same labelling but with an extra label on top of the faceplate
showing “inactive”.
Each single inactive outlet will have a separate label showing the inactive status of the port.
However, if both dual outlets are inactive then one label per outlet will be used.
The table below shows examples of face plate labelling:
Face Plate Labelling
DF Type DF No. CAT6 Patch Panel Port ID CAT6 Patch Panel Port ID Example
i 1 W01 N/A i01-W01
i 2 C02 N/A i02-C02
i 12 C20 N/A i12-C20
i 3 5 6 i03-5/6
Page 7 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
Each patch panel shall be labelled on the space provided for labelling and the size of the
labelling will be same as available in the 3M patch panel.
The ports on data/voice patch panel will be labelled on sequence, so it will be from 1 to 48 for
patch panel 1, and from 49 to 96 for patch panel 2, and so on.
The last data/voice patch panel may not be fully populated. e.g.: data outlets required is less
than 48, 96, 144, etc.
The left side half of the Wireless Access Points and CCTV patch panel will be dedicated for
wireless points starting from W1 to W24
The right side half of the same patch panel will be dedicated for CCTV points starting from C1
to C24
The table below shows examples of patch panels labelling:
All patch cords in MDF/IDFs will be labelled [black on white, self laminating labels].
Sticker label will be used to label both sides of cables end with same label.
The patch cord from the DF side will be labelled. The patch cords from the user side (desktop)
will not be labelled.
The cat6 patch cord label for IDFs will consist of 3 fields:
o The switch name
o The switch port ID.
o The cat6 patch panel port ID which the switch is connected to.
Page 8 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
The table below shows examples of cat6 patch cord labelling for IDF:
The cat6 patch cord label for MDF will connect between the Wireless Controller and the Core
Switch, and will consist of 4 fields:
o Device name (Wireless Controller)
o Port number of the Device (Wireless Controller)
o Device name (Core Switch)
o Slot number/Port number of the device (Core Switch)
The table below shows examples of cat6 patch cord labelling for MDF:
CAT6 Patch Cord Labelling (MDF)
Device Port
Device Name Device Name Device Port ID Example
ID
WLC 1 CSW 1/7 WLC1-CSW1/7
WLC 2 CSW 1/8 WLC2-CSW1/8
WLC 3 CSW 2/7 WLC3-CSW2/7
WLC 4 CSW 2/8 WLC4-CSW2/8
Each 3 duplex ports (i.e. 6 ports) will be assigned for a single DF.
The fiber optic patch cord label will consist of 3 fields:
o The distribution frame type and No. (For Intermediate Distribution Frame)
o The fiber optic patch panel port ID (duplex)
The table below shows how fiber optic patch panels must be labelled in DFs:
1 3 5 7 9 11 13 15 17 …… 23
2 4 6 8 10 12 14 16 18 ……. 24
i1-01 i1-02 i1-03 i2-04 i2-05 i2-06 i3-07 i3-08 i3-09
Page 9 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
1 3 5 7 9 11
2 4 6 8 10 12
m-07 m-08 m-09
On a standalone switch: a fiber patch cord will be connected from the first duplex port on
the fiber patch panel to uplink port 1/1/1 (G1) on the switch. And a fiber patch cord will be
connected from the second duplex port on the fiber patch panel to uplink port 1/1/2 (G2).
The table below shows examples of fiber optic patch cord labelling on a standalone switch:
On a switch stack of 4 switches: a fiber patch cord will be connected from the first duplex
port on the fiber patch panel to uplink port 1/1/1 (G1) on the switch. And a fiber patch cord
will be connected from the second duplex port on the fiber patch panel to the first port in the
last switch which is uplink port 4/1/1 (G1).
The table below shows examples of fiber optic patch cord labelling on a switch stack of 4
switches:
Page 10 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
Each 3 ports in the fiber optic patch panel will be reserved for one Intermediate Distribution
Frame. For example:
o Ports 1,2,& 3 are assigned for i1
o Ports 4, 5, & 6 are assigned for i2, etc…
The table below shows how the slots on the Core Switch in the MDF will show:
Slots on Core Switch
port port port port
Slot-1 ......... .........
1/1 1/12 1/13 1/24
port port Port Port
Slot-2 ......... .........
2/1 2/12 2/13 2/24
Page 11 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
Core Switch (for schools) – Slot 1 & 2 Port Reservations ‘Active Components LLD Port
Reservations’ Table
Page 12 of 13
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
Page 13 of 13
Information & Communication Technology (ICT) Division
October 2013
Version 2.2
Revision History
R e vi s i o n R e vi s i o n
Summary of Changes Author(s)
Number Date
Final version prepared for Abu Dhabi Future
2.0 2012-09-13 Yousef Alreyami
Schools Program – Phase 4
Yousef Alreyami
2.1 2012-10-10 Minor updates
Shueib Medani
- Required devices/ equipments.
- new paragraph 1.3.3 Interactive boards
height
- 1.3.3 AV cables / Cords.
- 1.3.4 external trunking / exposed wires
2.2 04-03-2013 Shueib Medani
- Page 8,9 display resolution changed to
generic spec.
- P8 Branded Photos removed.
- Sample Projectors / IWB added for
illustration purposes.
Reviewers
Approvals
Table of Contents
Table of Contents .............................................................................................................................. 3
1 Scope of Work........................................................................................................................... 4
1.1 Required Devices/Equipments and Quantities.................................................................... 4
1.2 Site Survey .......................................................................................................................... 5
1.3 Installation Requirements .................................................................................................... 5
1.3.1 Mock-up Installation.................................................................................................................. 5
1.3.2 Cabling and Termination........................................................................................................... 5
1.3.3 AV cables & cords ..................................................................................................................... 5
1.3.4 External Trunking & exposed wires .......................................................................................... 5
1.3.5 IWB height from the floor.......................................................................................................... 6
1.3.6 Trash Removal........................................................................................................................... 6
1.4 Training Requirements ........................................................................................................ 6
1.4.1 Quick Reference Manuals.......................................................................................................... 6
1.4.2 Laminated Posters:.................................................................................................................... 6
1.5 Support and Maintenance Requirements............................................................................ 7
1.5.1 Response and Resolution Time .................................................................................................. 7
1.5.2 Swappable Units........................................................................................................................ 7
1.5.3 Warranty.................................................................................................................................... 7
1.6 Asset Management.............................................................................................................. 7
1.7 Handover Documentation.................................................................................................... 7
2 Technical Specifications .......................................................................................................... 9
2.1 Ultra Short Throw Projector ................................................................................................. 9
2.2 Interactive Whiteboard System.......................................................................................... 10
2.3 Educational Software bundled with Interactive Whiteboards ............................................ 11
2.4 Pre-approved Manufacturers List: ..................................................................................... 11
2.5 Sample Interactive Boards for class rooms “for illustration purpose only” ........................ 12
2.6 Sample mobile trolleys for interactive boards “for illustration purpose only” ..................... 13
Confidential Page 3 of 13
SoW and Specifications for Projectors and Interactive Board Systems
1 Scope of Work
Interactive Boards Supplier is requested to provide the following:
1. Supply ICT devices listed hereunder that meet the requirements of ADEC.
2. Delivery and asset tagging of all devices in scope.
3. Installation services as a fully integrated solution.
4. Testing & commissioning services.
5. Staff Training (Teachers) and technical training for ADEC support engineers.
6. Warranty and ongoing support (4 years).
LRC 1 1 (mobile)
Cafeteria 1
Lobbies 1
Gyms 1
Reception 1
Principal office 1
Important Remarks:
1. If the LRC design does not allow for the installation of interactive board on the wall (i.e.
glass walls), the interactive board and projector should be installed in proper mobile trolley.
The CONTRACTOR is responsible to supply the trolleys.
2. For KGs, adjustable height brackets are required for all classrooms.
Confidential Page 4 of 13
SoW and Specifications for Projectors and Interactive Board Systems
ADEC will request the contractor to prepare mock-up of the installation for approval
All cabling for the A/V solutions is within the scope of the contractor including all face plates,
adapters and required. Face plates are generally required in the device side and near the computer
desk connected to the projector.
Any computer adapter that is required for the system must not be connected to external power
supply. In all rooms, both the projector and computer display must be displaying the computer
output.
CONTRACTOR will be required to manage and label all cables. Loose and unmanaged cables will
not be accepted.
Contractor/Interactive boards supplier is required to provide all the necessary AV cables and wires
(HDMI, VGA, AUDIO, .. etc) to connect teacher desktop PC to the IWB faceplate in the wall near to
the teacher desk.
External trunking and exposed wires (AV, data or power) is totally not allowed in the schools, all
connections for AV or LED systems should be hidden and not visible for any reason.
Confidential Page 5 of 13
SoW and Specifications for Projectors and Interactive Board Systems
Interactive boards should be installed at the following height above the floor in all learning spaces:
CONTRACTOR will be required to remove all empty boxes and other trash produced by the
installation / delivery outside the school premises. Upon completion of the installation,
CONTRACTOR must clean the installation area and leave it in dust free condition.
1. A hand out explaining all the steps required to operate the required devices.
2. The hand-out must be bilingual - English and Arabic
3. The hand out must be detailed and has screen shots of actual steps. Soft copies of
handouts must be submitted to ADEC for approval prior to conducting training sessions.
4. The handout must also include a section on basic trouble-shooting
5. CONTRACTOR is required to have the principal sign-off that the training has taken place in
a satisfactory manner. Copies of the training sign off forms are to be submitted to ADEC
ICT. Form to include school name, name of attendee, ADEC employee number, date and
signature.
6. The CONTRACTOR is also required to conduct training for ADEC support technicians on
basic troubleshooting and get sign-off on the training from ICT Support. This is required at
least once for each region (Abu Dhabi, Al Ain , Western)
The CONTRACTOR will be responsible for developing a laminated quick reference manual for every
school (in English and Arabic) that describes how to operate all the above items. The manual will be
prepared professionally in full colour. Instructions have to be simplified with easy to follow steps
supported with colour screen shots and images. All pages must be laminated.
The CONTRACTOR will be responsible for developing and hanging “how to operate" posters in full
colour for every lab. The poster will be laminated and professionally framed and prepared in both
English and Arabic.
Confidential Page 6 of 13
SoW and Specifications for Projectors and Interactive Board Systems
The CONTRACTOR will sign a contract with ADEC that includes the SLA terms and conditions
mentioned below for 4 years. SLA violations will be monitored closely and penalties will be applied
as agreed with the Procurement & Contracts Division.
All parts and labor (including transportation) must be covered by the CONTRACTOR
CONTRACTOR will be required to have standby units available in stock so failing units can be
replaced with working ones while they are being repaired. Under no condition will ADEC accept
delays beyond what is mentioned on the SLA requirements above.
1.5.3 Warranty
1. CONTRACTOR must produce and place bar codes for each item as per ADEC guidelines.
2. CONTRACTOR must submit an electronic spreadsheet of all items delivered as per ADEC
template. Information must include school name, items, serial numbers, device name,
device type & model, vendor name, warranty dates.
No Document(s) Remarks
Asset Sheet – final sheet including the details of all As per ADEC template
1
devices delivered
Confidential Page 7 of 13
SoW and Specifications for Projectors and Interactive Board Systems
Confidential Page 8 of 13
SoW and Specifications for Projectors and Interactive Board Systems
2 Technical Specifications
2.1 Ultra Short Throw Projector
Confidential Page 9 of 13
SoW and Specifications for Projectors and Interactive Board Systems
Confidential Page 10 of 13
SoW and Specifications for Projectors and Interactive Board Systems
CONTRACTOR must include free educational Software integrated with the interactive
whiteboards
The software must include free clipart library, images, video, common shapes and symbols:
Included and screened for UAE culture suitability
Editing Features:
Save lessons: Yes, Save notes written over software applications directly into the
application such as PowerPoint, Word and Excel
File formats support: Save notes in different file formats including: HTML, JPG, GIF, PNG
and PDF
Printing: Yes
Confidential Page 11 of 13
SoW and Specifications for Projectors and Interactive Board Systems
2.5 Sample Interactive Boards for class rooms “for illustration purpose only”
Confidential Page 12 of 13
SoW and Specifications for Projectors and Interactive Board Systems
2.6 Sample mobile trolleys for interactive boards “for illustration purpose only”
Preferred interactive board mobile trolley should have a rack to host a PC or Lab top
Confidential Page 13 of 13
ADEC FA PROJECT
Site Readiness Checklist (Pre-requisite)- GENERAL
Appropriate ADEC personnel and/or representatives should be made available for receiving of materials delivery & signing of Delivery Notes
Appropriate ADEC personnel and/or representatives should be made available for witnessing and signing/stamping Acceptance checklists
Equipment orders should be made at the appropriate times to ensure equipment availability
Site Specific WAN/ACTIVE/IPT equipment consignments (as per requested BoQ) should be prepared and made available for pickup from ADEC
warehouse
OLD cabinets should be removed prior to start of CISCO implementation
Appropriate GPS coordinates and School contacts, Exact School IDs and School Names in English should be provided
English & Arabic IVR recodings should be provided for IPT configuration
Appropriate WAN & Analog orders need to be placed for relevant Sites
Secure Interim storage of materials and tools should be provided whilst the work on the sites is in progress
Additional Comments / Remarks :
Civil Pre-requisites
Any Work-on-Site (in MDF/IDF rooms) should be completed for Cisco Implemenatation (e.g. no ongoing painting work etc.)
ADECs M&E Contractor to provide the MDF/IDF room ready with Partitions, AC and Industrial Power
MDF Room is selected as per guidelines (i.e. for e.g. no principal room or classroom selected)
Minimum 1 meter space is available front & back of MDF & IDF racks
Two Racks available (one for MDF, one for IDF) in the MDF room
Drop Fibre from telephone room to MDF rack pulled by ADEC Passive Contractor
Passive site CAD drawings (with all data points, AP locations etc) available (as-built)
Passive Port Allocation Sheet (PAS) & Outlet Distribution Sheets available (as-built)