Part G.9 Appendix I - ADEC ICT Guidelines

ABU DHABI FUTURE SCHOOL PROGRAM - PHASE 7
AIN AL FAYDA - NEW EXTENSION

AL AIN, UAE
ISSUED FOR CONSTRUCTION
VOLUME 3 - TECHNICAL SPECIFICATIONS
PART G.9 - APPENDIX I – ADEC Information & Communication

Technology (ICT) Guidelines
FEBRUARY 2018
ABUDHABIFUTURESCHOOLPROGRAM-PHASE7
AIN AL FAYDA - NEW EXTENSION
INDEX
VOLUME No. 3 - TECHNICAL SPECIFICATIONS
PART-A
DIVISION 01
PART-B
DIVISION 02 - 07
PART-C
DIVISION 8 - 14
PART-D
DIVISION 31 - 32
PART-E
DIVISION 21 - 23
PART-F
DIVISION 26 - 28 & 33
PART-G - APPENDICES
G.1 APPENDIX A - GEOTECH REPORT

G.2 APPENDIX B - TOILET ACCESSORIES AND SANITARY SCHEDULE
G.3 APPENDIX C - FOOD SERVICE EQUIPMENT
G.4 APPENDIX D - FF & E CUTSHEETS
G.5 APPENDIX E - SIGNAGE
G.9 APPENDIX I - ADEC INFORMATION & COMMUNICATION TECHNOLOGY (ICT) GUIDELINES
G.10 APPENDIX J - ADSSC SEWERAGE SPECS
G.11 APPENDIX K - ADM STORMWATER SPECS
G.12 APPENDIX L - AWDEA POTABLE WATER SPECS
PART H: ROAD SPECIFICATION
PART I: SOIL INVESTIGATION REPORT: (for guidance only)
PART J: SUSTAINABLE DESIGN REQUIREMENTS
END OF INDEX
INDEX PAGE1OF1 FEBRUARY 2018

CONTENT
1. ADEC : ICT Project Management Office : Responsibility Matrix for New Schools Projects :
Version 4: Dated – September 13, 2012
2. ADEC: Information & Communication Technology (ICT) Division: Standard Operating

Environment – Abu Dhabi School Model – October 2012 – Version 1.2
3. ADEC School Project : Infrastructure and Wireless Low Level Design – Version 1.6 – By Cisco
Services
4. ADEC : IP Surveillance System – CCTV Specifications for ADEC Schools – October 2013 -
Version 1.0
5. ADEC : Information & Communication Technology (ICT) Division : Abu Dhabi Schools ICT
Infrastructure : Passive Components – Design Specifications – October 2013 – Version 1.1
6. ADEC: Information & Communication Technology (ICT) Division: Abu Dhabi Schools ICT
Infrastructure: Passive Components – Data Outlet Distribution Specifications – October 2013 –
Version 1.2. (It is to be noted that data & power points number & location in this guideline is
minimum requirement and the contractor shall refer to layout drawings for exact number of
data/power points to suit furniture layout/site adaptations.)
Infrastructure : Passive Components – Specifications and Installation Scope – October 2013 -
Version 3.0
8. ADEC: Information & Communication Technology (ICT) Division: Abu Dhabi Schools ICT
Infrastructure: Passive Components – Power & AC Specifications – October 2013 – Version
3.1.1
Infrastructure : Passive Components – Labeling Specifications - October 2013 – Version 3.0
Infrastructure : Scope of Work and Specifications for Projectors and Interactive Board Systems –
October 2013 – Version 2.2
Infrastructure : Etisalat Site - Readiness Checklist
The above Abu Dhabi Education Council (ADEC) Guidelines to be read in conjunction with the
following technical specification sections – ADEC Guidelines/Specifications to take precedence
over the system specifications:
1. Division 27 – Section 27 00 00 – Telephone & Data Cabling Infrastructure
2. Division 27 – Section 27 60 00 – Closed Circuit Television (CCTV) System
3. Division 28 – Section 28 10 00 – Security Access Control System
ICT Project Management Office
Responsibility Matrix for New Schools Projects Project

Date September 13, 2012
Main Responsibilities during Design & Project Delivery

No Item Responsibility of Support & Maintenance
Musanada Musanada contractor(s) ADEC ICT ADEC ICT contractors
1) Provide ICT guidelines, specifications, SLA

1) Deliver and install the items based on ICT
requirements and approved bidder list
guidelines including all cabinets, batch panels,
2) Participate in tender technical evaluation
cable managers, trunking, face plates ...
1) Manage tendering and procurement using 3) Review building and IDF/MDF/ODF layouts
2) Provide labeled batch cords as per ICT
1 Structured Cabling ICT specifications 4) Review BOQ to ensure compliance with ICT Musanada
requirements
2) Manage delivery & installation guidelines and specifications
3) Asset tagging
5) Conduct QA on implementation
4) Documentation handover to ICT
6) Coordination with active contractors
5) Provide BOQ for review and approval
(Network, IPT, ..)
1) Deliver and install based on ICT guidelines 1) Provide ICT guidelines, specifications, SLA
1) Manage tendering and procurement using
and specifications requirements and approved bidder list Musanada
2 UPS ICT specifications
2) Asset tagging 2) Participate in tender technical evaluation (4 years warranty & NBD support - parts & labor)
2) Manage delivery & installation
3) Documentation handover to ICT 3) Conduct QA on the design and installation
1) Deliver and install the items based on ICT 1) Provide ICT guidelines, SLA requirements
1) Manage tendering and procurement using guidelines and approved bidder list
Musanada
3 Public Address System ICT specifications 2) Asset tagging 2) Participate in tender technical evaluation
(4 years warranty & NBD support - parts & labor)
2) Manage delivery & installation 3) Training for end users and ICT Support 3) Conduct QA on the design and installation
4) Documentation handover to ICT 4) Network configuration (if required)
1) Provide ICT guidelines, specifications, SLA

requirements and approved bidder list
Security Systems 1) Manage tendering and procurement using guidelines
2) Participate in tender technical evaluation Musanada
4 (CCTV, Access Control, ICT specifications 2) Asset tagging
3) Conduct QA/review on the design and (4 years warranty & NBD support - parts & labor)
Security Room) 2) Manage delivery & installation 3) Training for end users and ICT Support
installation
4) Network configuration (if required)

guidelines including all cabling terminating to
1) Manage tendering and procurement using 1) Provide ICT guidelines, specifications, SLA
the desktops
Audio & Visual Systems ICT specifications requirements and approved bidder list
2) Software installation & complete testing
(incl. auditorium systems, TVs, 2) Arrange prototypes/demos with qualified 2) Participate in tender technical evaluation Musanada
6 after delivery of desktops
interactive boards & cabling suppliers for evaluation & approval by ADEC 3) Conduct QA/review on the design and (4 years warranty & NBD support - parts & labor)
3) Asset tagging
to desktops) ICT and P-12 prior to awarding installation
4) Training for end users and ICT Support as
3) Manage delivery & installation 4) Network configuration (if required)
per the guidelines
1) Provide guidelines for passive contractors 1) Deliver and install based on ICT procedures
Network - LAN (switches,
8 Site coordination for the implementation 2) Procure and manage delivery/installation 2) Asset tagging ADEC ICT
routers, wireless AP, …)
3) Conduct QA for the site readiness 3) Documentation handover to ICT
1) Provide guidelines for passive contractors 1) Deliver and install based on ICT procedures
9 WAN Connectivity Site coordination for the implementation 2) Procure and manage delivery/installation 2) Asset tagging ADEC ICT
3) Conduct QA for the site readiness 3) Documentation handover to ICT
1) Deliver and install based on ICT guidelines

1) Provide ICT guidelines for power and
2) Interface TA devices with the enterprise
1) Manage tendering and procurement using 1) Provide provision for power and network as network provisions
ADEC system
10 Time & Attendance System ICT specifications per ICT guidelines and installation locations 2) Procure and manage delivery & installation ADEC ICT
3) Asset tagging
2) Manage delivery & installation 2) Site coordination during installation 3) Conduct QA for the site readiness
4) Training for end users and ICT support
1) Provide ICT guidelines for furniture, power

and network provisions 1) Deliver and install based on ICT guidelines
1) Provide furniture and provision for power 2) Review building and furniture layouts 2) Cable management
11 IP Telephony and network as per the ICT guidelines 3) Prepare distribution plans coordinating with 3) Asset tagging ADEC ICT
2) Site coordination for the implementation School Operations & P-12 4) Training for end users and ICT support
4) Procure and manage delivery & installation 5) Documentation handover to ICT
5) Conduct QA for the site readiness
1) Provide ICT guidelines for furniture, power

and network provisions 1) Deliver and install based on ICT guidelines
1) Provide furniture and provision for power
Desktops & Laptops 2) Review building and furniture layouts 2) Cable management
and network as per ICT guidelines and
12 Printing & Imaging 3) Prepare distribution plans coordinating with 3) Asset tagging ADEC ICT
installation locations
Equipments School Operations & P-12 4) Training for end users and ICT support
2) Site coordination during installation
4) Procure and manage delivery & installation 5) Documentation handover to ICT
5) Conduct QA for the site readiness
Connect the school to core network services:

- Internet Access
13 Core Network (HQ) ADEC ICT
- Monitoring
- Content Filtering
Network configuration (if required)

15 BMS and other MEP Procure and manage delivery/installation Deliver, install and support Musanada
No other involvement
Advanced Services
Abu Dhabi Education Council (ADEC) – School Project

Infrastructure and Wireless Low Level Design
Version 1.6
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
CISCO CONFIDENTIAL
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to
part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own
expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed
in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits
for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such
interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral
devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
Turn the television or radio antenna until the interference stops.
Move the equipment to one side or the other of the television or radio.
Move the equipment farther away from the television or radio.
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled
by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The following third-party software may be included with your product and will be subject to the software license agreement:
CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-Packard Company. HP OpenView is a trademark of the Hewlett-Packard
Company. Copyright  1992, 1993 Hewlett-Packard Company.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain
version of the UNIX operating system. All rights reserved. Copyright  1981, Regents of the University of California.
Network Time Protocol (NTP). Copyright  1992, David L. Mills. The University of Delaware makes no representations about the suitability of this software for any purpose.
Point-to-Point Protocol. Copyright  1989, Carnegie-Mellon University. All rights reserved. The name of the University may not be used to endorse or promote products derived
from this software without specific prior written permission.
The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed by the University of California, Berkeley (UCB) as part of the UCB’s
public domain version of the UNIX operating system. All rights reserved. Copyright  1981-1988, Regents of the University of California.
Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products. Fastmac software is licensed to Cisco by Madge Networks Limited, and
the RingRunner chip is licensed to Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered trademarks of Madge Networks
Limited. Copyright  1995, Madge Networks Limited. All rights reserved.
Xremote is a trademark of Network Computing Devices, Inc. Copyright  1989, Network Computing Devices, Inc., Mountain View, California. NCD makes no representations
about the suitability of this software for any purpose.
The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL
FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE
OF MERCHANTABILITY, FITNESS FOR A PRACTICAL PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR
ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
AccessPath, AtmDirector, Browse with Me, CCDE, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking
Academy, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net
Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and
WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are
service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS,
the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream,
MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc.
and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0105R)
INTELLECTUAL PROPERTY RIGHTS:
THIS DOCUMENT CONTAINS VALUABLE TRADE SECRETS AND CONFIDENTIAL INFORMATION OF CISCO SYSTEMS, INC. AND IT’S SUPPLIERS, AND SHALL
NOT BE DISCLOSED TO ANY PERSON, ORGANIZATION, OR ENTITY UNLESS SUCH DISCLOSURE IS SUBJECT TO THE PROVISIONS OF A WRITTEN NON-
DISCLOSURE AND PROPRIETARY RIGHTS AGREEMENT OR INTELLECTUAL PROPERTY LICENSE AGREEMENT APPROVED BY CISCO SYSTEMS, INC. THE
DISTRIBUTION OF THIS DOCUMENT DOES NOT GRANT ANY LICENSE IN OR RIGHTS, IN WHOLE OR IN PART, TO THE CONTENT, THE PRODUCT(S),
TECHNOLOGY OF INTELLECTUAL PROPERTY DESCRIBED HEREIN.
Document Title V1.6

Copyright  2008, Cisco Systems, Inc.
All rights reserved.
COMMERCIAL IN CONFIDENCE.
1. Contents
1. Contents 3
2. Figures 8
3. Tables 9
4. Document Information 11
4.1 Review and Distribution 11
4.2 Modification History 11
5. Document Acceptance Certificate 12

6. Introduction 13
6.1 Preface 13
6.2 Audience 13
6.3 Scope 13
6.3.1 In scope 13
6.3.2 Out of scope 14
6.4 Key Design Decisions 15
6.5 Design Exceptions and Known Gaps 41
6.6 Assumptions & Caveats 42
6.7 Related Documents 42
6.8 References 42
6.9 Project Contact List 43
6.9.1 ADEC 43
6.9.2 Cisco Systems Advanced Services 43
7. Network Overview 44
7.1 Network Layout 44
7.2 Design Considerations 46
8. Physical Network Design 47

8.1 Physical Location of Equipment 47
8.2 Network Hardware Components 48
8.2.1 Cisco ISR 2911 48
8.2.2 Cisco Catalyst 4507R-E 48
8.2.2.1 Cisco Catalyst 4507R-E Slot Allocation 49
8.2.3 Cisco Catalyst C3850-F-S(Standalone or Switch Stack) 49
8.2.3.1 Cisco Catalyst C3850-F-S Power Supply and Power over Ethernet+ 49
8.2.3.2 Stacking of Catalyst C3850-F-S 50
8.2.3.3 StackWise 50
8.2.3.4 Power Stack 50
8.3 Network Topology 51
ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL
3 Version 1.6
A printed copy of this document is considered uncontrolled
Contents
8.3.1 Network Connectivity 52

8.3.1.1 Core Switch to WLC 52
8.3.1.2 Access Switch to Core Switch 52
8.3.1.3 Access Switch Uplink Redundancy 54
8.3.1.4 Core Switch to WAN Router 55
8.3.1.5 Core Switch Port Reservations 55
8.3.1.6 Core Switch Port Oversubscription 56
8.3.1.7 Access Switch to Host Connectivity 56
8.4 Naming Convention 56
8.4.1 Site Type 57
8.4.2 SiteID 57
8.4.3 Distribution Frame Type 57
8.4.4 Distribution Frame Number 57
8.4.5 Device Role 58
8.4.6 Device Iteration 58
8.4.7 Naming Convention Examples 59
8.5 Labelling Convention 60
8.6 Interface Description 60
8.6.1 Physical Port Descriptions 61
8.6.2 Switch Virtual Interface (SVI) Descriptions 61
8.6.3 PortChannel Interface Descriptions 61
8.7 Software Requirements 61
8.7.1 Software Justifications 61
8.7.1.1 Core switch 61
8.7.1.2 Access Switch 62
9. Logical Network Design 63

9.1 Network Design 63
9.2 VLAN 64
9.3 Voice VLAN 65
9.4 IP Addressing 65
9.4.1 ADEC Address Allocation 65
9.4.2 IP Address Exclusions 66
9.4.3 IP Scheme 67
9.5 Infrastructure Routing 68
9.6 Infrastructure Security 68
9.6.1 Control Plane Policing 68
9.6.1.1 CoPP Configuration Strategies 68
9.6.1.2 Identifying Undesirable Traffic 68
9.6.1.3 Rate 69
9.6.1.4 Catalyst 4507R-E Control Plane Policing 69
9.6.2 Storm Control 70
9.6.3 DHCP Snooping 71
9.6.3.1 DHCP Scope Exhaustion 71
9.6.3.2 Rogue DHCP Server 71
9.6.3.3 DHCP Snooping Configuration guidelines 72
9.6.4 IP Source Guard 73
9.6.5 Dynamic ARP inspection 74
9.6.6 Port security 74
9.6.7 Additional Security Features 74
9.6.7.1 MAC Flooding Attacks 74
9.6.7.2 802.1Q and ISL Tagging attack 74
9.6.7.3 Double Encapsulated 802.1Q Nested Attack 75
9.6.7.4 ARP Attack 75
9.7 Network Services 75
9.7.1 DHCP 76
9.7.2 DHCP Relay 76
4 Version 1.6
Contents
9.7.3 DHCP for the APs 76

9.7.4 DNS 77
9.7.5 NTP 78
9.7.5.1 NTP Hierarchy 78
9.8 Access Network Design 78
9.8.1 Trunking 78
9.8.1.1 802.1Q Trunk Configuration 79
9.8.1.2 Allowed VLANs on a trunk 79
9.8.1.3 Enhance VLAN Security 79
9.8.2 Etherchannel 79
9.8.2.1 Etherchannel Numbering 79
9.8.2.2 Etherchannel between Core Switch and Access Switch 80
9.8.2.3 Etherchannel between Access Switch (stack origin) and Access Switch (Stack
Extention) 80
9.8.2.4 Etherchannel between Core Switch and WLC 80
9.8.2.5 Etherchannel Guard 81
9.8.3 Access Port 81
9.8.4 VTP 81
9.8.5 Spanning Tree Protocol (STP) 81
9.8.5.1 VLAN Stability 81
9.8.5.2 PortFast 81
9.8.5.3 Bridge Protocol Data Unit (BPDU) Guard 81
9.8.5.4 LoopGuard 82
9.8.5.5 UniDirectional Link Detection (UDLD) 82
9.8.5.6 Extended System-id 82
9.8.6 Speed and Duplex Setting 83
9.9 Infrastructure Management 83
9.9.1 MGMT VLAN 83
9.9.2 Simple Network Management Protocol 83
9.9.3 Logging 83
9.9.3.1 Timestamp Service 84
9.9.3.2 Buffered Logging 84
9.9.3.3 Console Logging 84
9.9.3.4 Logging Login Success and Failure Attempts 84
9.9.3.5 Logging Source 84
9.9.4 Cisco Discovery Protocol (CDP) 84
9.9.5 Disable Unneeded Services 85
9.9.5.1 Small Servers 85
9.9.5.2 Finger Service 85
9.9.5.3 IP Source Routing 85
9.9.5.4 IP Directed Broadcasts 85
9.9.5.5 IP Redirects 85
9.9.5.6 PAD Service 86
9.9.5.7 HTTP Server 86
9.9.5.8 DHCP Server 86
9.9.6 Enable Protection Services 86
9.9.6.1 Enable TCP Keepalive Feature 86
9.9.6.2 TCP Synwait 86
9.9.7 Preventing Unauthorized Access 86
9.9.7.1 Enable Secret 86
9.9.7.2 Service password-encryption 87
9.9.7.3 Local Authentication 87
9.9.7.4 Restricting VTY access to NMS Subnet 87
9.9.7.5 Limiting Remote access to SSH 87
9.9.7.6 Configuring SSH 87
9.9.7.7 Tiered Access Privileges 87
5 Version 1.6
Contents
9.9.8 Restricting Access using Access Control Lists (ACLs) 88

9.9.8.1 Management Subnet ACLs 88
9.9.8.2 Guest Access ACLs 88
9.9.9 Login Banners 88
9.9.10 Service Nagle 88
10. Wireless Infrastructure 89

10.1 Wireless Network Design Overview 89
10.2 Wireless Software 90
10.3 RF Design Requirements 90
10.3.1 Coverage 90
10.3.2 Capacity 92
10.3.2.1 IEEE 802.11a 92
10.3.2.2 IEEE 802.11g 92
10.3.2.3 IEEE 802.11n 92
10.3.2.4 Channel Binding 92
10.4 Wireless Access Point Deployment 93
10.4.1 Access Points and Antennas 93
10.4.2 Access Point Location and Installation 93
10.5 Connecting the Access Points to the Network 94
10.5.1 Access Layer Switch Port Requirements 94
10.5.2 DHCP Server Requirements 94
10.5.3 Electrical Power 94
10.6 Wireless LAN Controller Deployment 95
10.6.1 Wireless LAN Controller 95
10.6.2 CAPWAP Transport Mode 95
10.6.3 Wireless Client Mobility 95
10.6.4 RF Planning 95
10.6.4.1 Radio Transmit Power and Channel Assignment 95
10.6.5 Redundancy and AP Load Balancing 96
10.6.5.1 Wireless LAN Controller 96
10.6.5.2 Access Point Redundancy 96
10.6.6 Wireless Client Security 96
10.6.6.1 Data Clients 97
10.7 Cisco Unified Wireless Security Features 97
10.7.1 Peer-to-peer blocking 97
10.7.2 Wireless Intrusion Detection System (IDS) 97
10.7.3 Client exclusion 97
10.7.4 Rogue AP detection 98
10.8 Network Management 98
10.9 Cisco Wireless LAN Controller Configuration 98
10.9.1 WLC IP Addressing 98
10.9.1.1 Wireless LAN Controller AP-Manager and Management 98
10.9.2 WLC IP Addresses on the Dynamic VLANs 98
10.9.3 Client IP Addresses 99
10.9.4 WLC General Parameters 99
10.9.5 WLC Interfaces 100
10.9.6 Mobility Group 101
10.9.7 Wireless LAN (WLAN) Configuration 101
10.9.8 Management Features 102
10.9.8.1 SNMP 102
10.9.8.2 HTTP / HTTPS 102
10.9.8.3 Telnet / SSH 102
10.9.8.4 NTP 102
10.9.8.5 WLC Login Banner 103
11. Appendix A – School Dependencies 104

12. Appendix B – WLC Initialization 105
6 Version 1.6
Contents
13. Glossary 106
7 Version 1.6
2. Figures
Figure 1 Sample School network 45
Figure 2 Sample Topology Diagram of the overall network 45
Figure 3 Physical Diagram of a typical school 47
Figure 4 Typical School infrastructure layout 51
Figure 5 Stack Switch Label Convention 60
Figure 6 Stack Switch Label Example 60
Figure 7 Logical Network Design 63
Figure 8 ADEC IP Address Allocation 65
Figure 9 ADEC School IP Address Allocation Scheme 66
Figure 10 Catalyst 4507R-E CoPP Mode 69
Figure 11 Option 43 Hex String 76
Figure 12 Hex String Components 77
Figure 13 ADEC Domain name 78
Figure 14 Split MAC Architecture 89
Figure 15 Disable OTAP 99
Figure 16 Disable Aggressive Load Balancing 99
Figure 17 Enable LAG Mode 99
Figure 18 Enable L3 LWAPP Mode 100
Figure 19 Disable Multicast Mode 100
Figure 20 Default Mobility Name 100
Figure 21 RF Network Name 100
8 Version 1.6
3. Tables
Table 1 In Scope 13
Table 2 Out of Scope 14
Table 3 Key Design Decisions 15
Table 4 Design Exceptions and Known Gaps 41
Table 5 ADEC Contacts 43
Table 6 Cisco Contacts 43
Table 7 Slot Allocation 4507R-E 49
Table 8 4507R-E to WLC Port Reservation 52
Table 9 3 Switch Stack Uplink Scheme 53
Table 13 Standalone Uplink Scheme 54
Table 14 Core Switch - Access Switch Etherchannel uplink scheme Switch 1 54
Table 17 second switch stack uplink - first stack switch Etherchannel uplink
scheme Switch 5 55
Table 18 second switch stack uplink - first stack switch Etherchannel uplink
scheme Switch 6 55
Table 19 Core Switch - WAN Router Port Reservation 55
Table 20 Core Switch – Slot 1 & 2 Port Reservations 56
Table 21 Site Type Abbreviations 57
Table 22 ERP SiteID Encoding 57
Table 23 DF Abbreviations 57
Table 24 Distribution Frame Number Encoding 58
Table 25 Device Role Abbreviation 58
Table 26 Naming Convention Examples 59
Table 27 IOS Software Image Listing 61
Table 28 VLAN Table 64
Table 29 IP Scheme for all IP Subnets 67
Table 30 Additional IP Scheme for Specific VLANs 67
Table 31 Additional IP Scheme for Management VLAN 67
Table 32 IP Scheme for Core Switch toWAN Router Link 67
Table 33 Hex String Components 77
Table 34 Hex String Example 77
Table 35 NTP Table with NTP Source and Stratum Levels. 78
Table 36 Logging Levels 83
Table 37 Restricting Access to Management Subnet 88
Table 38 Restricting Guest Access 88
Table 39 WLC Software Releases 90
Table 40 ADEC Signal Strength Req. 91
Table 41 Coverage Areas 92
Table 42 DHCP Lease Times 94
Table 43 Cisco Aironet Access Point Power Draw 95
Table 44 WLAN/SSID Roles and Security 97
Table 45 Mobility Group 101
9 Version 1.6
Tables
Table 46 WLAN / SSID 101
10 Version 1.6
4. Document Information
Author: Stephane Picard/ Zarar Ismail /Nadeem Akbar/Chady Saad

Change Authority: Cisco Advanced Services
Change Forecast: medium
4.1 Review and Distribution

Organisation Name Title
Cisco AS Stephane picard Solution Architect
4.2 Modification History

Rev Date Originator Status Comment
1.0 July-19-2010 Zarar Ismail / Chady Draft All Data Sheet information, products
Saad specs and specific configuration
guidelines have been removed as per the
request from ADEC, Mussanada and
Etisalat.
1.1 July-15-2010 Zarar Ismail / Chady Draft Key Design Decisions updated
Saad Design Exceptions and Known Gaps
table updated based on ADEC/musanada
comments
1.2 Aug-2-2010 Zarar Ismail / Chady All wording such as “recommendation”
Saad removed except where appropriate.
4507R-E Port Allocation Modified.
IP Address Allocation modified
IP Address exclusions added
Access Port to host connectivity guide
inserted as per ADEC/musanada
comments
1.3 Aug-3-2010 Zarar Ismail / Chady Comments and feedback added directly
Saad into the document according to
ADEC/musanada comments
1.4 Aug-17-2010 Zarar Ismail / Chady Additional justification added for KDDs
Saad/Stephane picard according to ADEC/musanada
comments. Added restriction and
disclaimer regarding some specific
design requests from ADEC/musanada
1.5 Aug-30-2010 Alistair Ross Updates following review of version 1.4
1.6 July-29-2013 Abdulfattah Replacing 3750X with 3850S
Abdullateef
11 Version 1.6
5. Document Acceptance Certificate
Title: ADEC Infrastructure and Wireless LLD

Version: 1.6
Name Name
Title Title
Company Company
Signature Signature
Date Date
Name Name
Title Title
Company Company
Signature Signature
Date Date
Name Name
Title Title
Company Company
Signature Signature
Date Date
12 Version 1.6
6. Introduction
6.1 Preface
The objective of this document is to provide Abu Dhabi Education Council (ADEC) with a detailed
network infrastructure and Wireless LAN design.
The ADEC network consists of approximately 305 sites/schools. ADEC will interconnect all the
schools via IPCONNECT, an Etisalat service (which is a Virtual Private Network (VPN)
interconnection over the Etisalat Multiprotocol Label Switching (MPLS) backbone). It is expected that
this Low-Level Design (LLD) document will be used as a basis for implementation of the IP network
infrastructure and Wireless LAN (WLAN) across all sites of ADEC.
6.2 Audience
The primary audience of this document is the information technology team involved in the
deployment and support of the infrastructure and wireless LAN deployment.
 Members of the ADEC, Etisalat and Musanada team

 Cisco Systems staff working on the ADEC project
 ADEC partners and subcontractors
 ADEC employees who require detailed knowledge of the ADEC wired and wireless LAN
Network Infrastructure
6.3 Scope
The following section details the current scope of this document.
6.3.1 In scope
The following solution components are within the scope of the current project.
Table 1 In Scope
Scope ID Description
1 Network Infrastructure
2 Wireless LAN
13 Version 1.6
Introduction
6.3.2 Out of scope

The following solution components are outside the scope of the current project.
Table 2 Out of Scope
Scope ID Description
1. WAN connectivity
2. Data Centre
3. QoS
4. IPT QoS
5. VoIP
6. VoWLAN
7. NAC
8. IPT Testing
9. IPT Infrastructure
10. 802.1x
11. Multicast
12. IPv6
13. Random Frame Stress Attack
14. Multicast Brute Force Attack
14 Version 1.6
Introduction
6.4 Key Design Decisions

The table below details the key design decisions which were used to drive the design process.
Table 3 Key Design Decisions
KDD Decision Ref Owner

KDD01. The wireless 10.6.3 Wireless Client Mobility ADEC
solution shall
provide the ability
for any user to
roam within the
school.
KDD02. The wireless 10.6.6.1 Data Clients ADEC
solution shall
provide a captive
portal for all users.
KDD03. The wireless 10.6.6.1 Data Clients ADEC
solution shall
provide an SSID
for staff, students
and guests.
KDD04. All documents 6.8 References ADEC
shall meet ADEC
document
standards.
KDD05. The solution shall 7.1 ADEC
connect the school Network Layout
to the WAN
service.
KDD06. The solution shall 9.9.7.5 Limiting Remote access to SSH ADEC
provide SSH V2 9.9.2 Simple Network Management Protocol
and SNMP V3. 10.9.8 Management Features
KDD07. SSH V2 access 9.9.7.4 Restricting VTY access to NMS Subnet ADEC
shall be controlled
by ACL.
KDD08. SSH V2 access 9.9.7.3 Local Authentication ADEC
shall be
authenticated
using a local
account.
KDD09. All network 9.9.1 MGMT VLAN ADEC
devices shall be
configured with an
interface in the
management
VLAN.
KDD10. SSH access shall 9.9.8.1 Management Subnet ADEC
only be provided
on the
management
VLAN.
15 Version 1.6
Introduction
KDD11. Access to SSH 9.9.7.7 Tiered Access Privileges ADEC

shall utilise tiered
access privileges.
KDD12. SSH session 6.5 Design Exceptions and Known Gaps ADEC
timeouts shall be 5
minutes
KDD13. Login banner shall 9.9.9 Login Banners ADEC
be displayed for all
SSH access.
KDD14. Telnet access shall 9.9.7.5 Limiting Remote access to SSH ADEC
be prevented on all 10.9.8.3 Telnet / SSH
devices.
KDD15. SSH access shall be 9.9.7.4 Restricting VTY access to NMS Subnet ADEC
limited to
connections from
management
source IP
addresses only.
KDD16. All SSH user 9.9.3.4 Logging Login Success and Failure Attempts ADEC
access shall be 10.8 Network Management
logged locally.
KDD17. Labelling 8.5 Labelling Convention ADEC
Convention to
incorporate
individual
switches in the
stack
KDD18. Logging shall 9.9.3 Logging ADEC
capture warning
and critical event
levels.
KDD19. SNMP access shall 9.9.2 Simple Network Management Protocol ADEC
be limited to and
from connections
from management
source IP
addresses only.
KDD20. Management 10.9.8 Management Features ADEC
access to the WLC
shall be provided
over HTTPS and
SSH V2 only.
KDD21. WLC access shall 9.9.8.1 Management Subnet ADEC
be controlled by
ACL.
KDD22. WLC management 10.8 Network Management ADEC
access shall be
authenticated
using a local
account.
16 Version 1.6
Introduction
KDD23. WLC access shall 9.9.8 Restricting Access using Access Control Lists (ACLs) ADEC
only be provided
on the
management
VLAN.
KDD24. Access to WLC 10.8 Network Management ADEC
shall utilise tiered
access privileges
for Admin and
lobby ambassador
roles.
KDD25. WLC session 10.9.8.2 HTTP / HTTPS ADEC
timeouts shall be
30 minutes.
KDD26. Login banner shall 10.9.8.5 WLC Login Banner ADEC
be displayed for all
WLC access.
KDD27. WLC Admin role 10.8 Network Management ADEC
shall have full
privileges.
KDD28. WLC Guest role 10.8 Network Management ADEC
shall have
sufficient
privileges for users
Moves, Addition
and Changes.
KDD29. All VLAN's shall 9.4.3 IP Scheme ADEC
be provisioned
with an IP address.
KDD30. The IP Addressing 9.4 IP Addressing ADEC
schema shall
provide minimum
of 1000 schools
KDD31. Each VLAN shall 9.4 IP Addressing ADEC
be assigned /24 IP
subnet.
KDD32. The Data Centre 9.4 IP Addressing ADEC
will use the ADSIC
allocated IP range
KDD33. Each device shall 8.5 Labelling Convention ADEC
be asset tagged
with the device
hostname as per
the labelling
convention
defined within this
document
KDD34. Each VLAN shall 9.4.3 IP Scheme ADEC
reserve a block of
addresses for use
by printers.
KDD35. Wireless Guest 10.6.6.1 Data Clients ADEC
connections shall
not be encrypted.
17 Version 1.6
Introduction
KDD36. Access to the 9.9.8.2 Guest Access ADEC

Internet proxy
from the wireless
GUEST VLAN
shall be limited by
ACL to Permitted
Services List (PSL).
KDD37. Access to the 9.9.8.1 Management Subnet ADEC
infrastructure
device
management
interfaces shall be
limited by ACL to
the NMS IP
Addresses only.
KDD38. Domain name 9.7.4 DNS ADEC
shall be configured
on network
infrastructure
devices.
KDD39. NTP shall be 9.7.5 NTP ADEC
configured on
network
infrastructure
devices.
KDD40. IP DNS lookup 9.7.4 DNS ADEC
shall not be
configured on
network
infrastructure
devices.
KDD41. Port security shall 9.6.6 Port security Cisco
restrict based on 3
MAC addresses.
KDD42. The solution shall 9.8.4 VTP ADEC
provide VTP
transparent mode
with VTP domain
as follows
"adec.ac.ae"
KDD43. The solution shall 9.6.1 Control Plane Policing ADEC
provide control
plane policing.
KDD44. Ports will be 9.6.7.2 802.1Q and ISL Tagging attack ADEC
hardcoded as
trunks
KDD45. Usernames shall 9.9.7.7 Tiered Access ADEC
not reflect role or
the privileges
associated with the
credential.
18 Version 1.6
Introduction
KDD46. DHCP snooping 9.6.3 DHCP Snooping ADEC

shall be configured
in such a way that
it prevents rogue
DHCP servers.
(Port configuration
trusted/untrusted)
.
KDD47. Management 9.9.1 MGMT VLAN ADEC
VLAN port shall
be assigned in
every switch or
stack or switches.
(Note: ADEC
management
stations shall be
statically allocated
an IP address by
MAC address)
KDD48. The Management Not Applicable ADEC
VLAN port on
each switch or
stack shall not be
patched to UTP
patch port. (Where
stack, only one
port per stack to e
configured.)
KDD49. The Management Not Applicable ADEC
VLAN port shall
be configured on
port 48 of each
switch or stack
only.
KDD50. Spanning-Tree 9.8.5.2 PortFast ADEC
PortFast shall be
configured.
KDD51. UDLD shall be 9.8.5.5 ADEC
configured on all UniDirectional Link Detection (UDLD)
uplinks.
KDD52. Should an AP go 10.6.5.2 Access Point Redundancy ADEC
down and an
adjacent active AP
is within range,
then the end point
shall be able to
connect via the
adjacent AP
without losing
connectivity.
19 Version 1.6
Introduction
KDD53. The wireless 10.9.3 Client IP Addresses ADEC

solution shall
provide a backup
DHCP server
function. In the
event that the
centralised DHCP
server is
unavailable then
the WLC shall
provide IP address
from its local
DHCP database.
KDD54. The WLC shall 10.7.4 Rogue AP detection ADEC
provide the ability
to manually
contain rogue
access points.
KDD55. Wireless 10.6.6.1 Data Clients ADEC
encryption shall be
WPA and WPA2
(AES).
KDD56. Port security shall 9.6.6 Port security ADEC
not be configured
on the Core
Switch.
KDD57. IP Source Guard 9.6.4 IP Source Guard ADEC
shall be
configured.
KDD58. The solution shall 9.6.6 Port security ADEC
provide security
features to limit
the impact of a
MAC Flooding
Attacks
KDD59. The solution shall 9.6.7.2 802.1Q and ISL Tagging attack ADEC
provide security
features to limit
the impact of a
802.1Q and ISL
Tagging Attack
KDD60. The solution shall 9.6.7.3 Double Encapsulated 802.1Q Nested Attack ADEC
provide security
features to limit
the impact of a
Double-
Encapsulated
802.1Q/Nested
VLAN Attack
KDD61. The solution shall 9.6.5 Dynamic ARP inspection ADEC
provide security
features to limit
the impact of ARP
Attacks
20 Version 1.6
Introduction
KDD62. The solution shall Out of scope ADEC

provide security
features to limit
the impact of a
Multicast Brute
Force Attack
KDD63. The solution shall 9.8.5 Spanning Tree Protocol (STP) ADEC
provide security
features to limit
the impact of a
Spanning-Tree
Attack
KDD64. The solution shall Out of scope ADEC
provide security
features to limit
the impact of a
Random Frame
Stress Attack
KDD65. 4 ports on the Core 8.3.1.5 Core Switch Port Reservations ADEC
Switch shall be
allocated for future
use by servers.
KDD66. All ports allocated 8.3.1.5 Core Switch Port Reservations ADEC
on the Core Switch
shall be distributed
across the two IO
blades.
KDD67. One Gigabit 8.3.1.5 Core Switch Port Reservations ADEC
Ethernet (gig) port
shall be allocated
on the Core Switch
for the "IPT
project".
KDD68. One Gigabit 8.3.1.5 Core Switch Port Reservations ADEC
Ethernet (gig) port
shall be allocated
on the Core Switch
for WAN Router.
KDD69. For each allocated 8.3.1.5 Core Switch Port Reservations ADEC
port on the Core
Switch, a separate
port on redundant
IO blade shall be
reserved for future
expansion.
KDD70. The WAN Router 9.5 Infrastructure Routing ADEC
port on the Core
Switch shall be
configured with
/30 from the
school LAN range
for L3 connection
the WAN Router.
21 Version 1.6
Introduction
KDD71. A voice VLAN 9.3 Voice VLAN ADEC

shall be configured
on data (IT Labs,
Admin, Teachers
and Library ports)
Access Ports only.
KDD72. A voice VLAN 9.3 Voice VLAN ADEC
shall not be
configured on AP
or CCTV Access
Ports.
KDD73. The software to be 8.7 Software Requirements Cisco
used on the C3850-
F-S and 4507R-E
will be 3.2.2SE and
12.2(53)SG8
respectively
KDD74. The Cisco Catalyst 7.1 ADEC
4507R-E is selected Network Layout
as the Core Switch
for the ADEC
school site
network
infrastructure.
KDD75. The Cisco Catalyst 7.1 ADEC
C3850-F-S is Network Layout
selected as the
Access Layer
Switch for the
ADEC school site
network
infrastructure
KDD76. The Cisco 5508 7.1 ADEC
Series is selected as Network Layout
the Wireless LAN
Controller (WLC)
for the ADEC
school site
network
infrastructure
KDD77. Cisco Catalyst 8.3.2.1 Stacking of Cisco Catalyst C3850-F-S ADEC
C3850-F-S switches
within the IDF will
be stacked where
more than one
switch is installed
KDD78. No More than 4 8.2.3.3 StackWise Cisco
Cisco Catalyst
C3850-F-S switches
will be
provisioned in a
single StackWise
switch stack.
22 Version 1.6
Introduction
KDD79. Cisco Catalyst 8.3.1.3 Access Switch Uplink Redundancy Cisco

C3850-F-S uplink
modules will be
installed in
switches at the
opposite ends of
the stack.
KDD80. In an Access 8.3.1.2 Access Switch to Cisco
Switch stack each
uplink module
will use a single
port to connect to
the Core Switch
KDD81. In a standalone 8.3.1.2 Access Switch to Cisco
Access Switch the
first two ports of
the uplink module
will be used to
connect to the
4507R-E
KDD82. The Access 8.3.1.2 Access Switch to Cisco
Switches will
connect to the
Core Switch using
an etherchannel
KDD83. ADEC’s naming 8.4 Naming Convention ADEC
conventions will
be followed when
assigning
hostnames to all
network
infrastructure
devices.
KDD84. The Site Type will 8.4.1 Site Type ADEC
be represented in
the naming
convention using a
single character
KDD85. The Site Type for a 8.4.1 Site Type ADEC
school site will be
identified by “S”
KDD86. The SiteID will 8.4.2 SiteID ADEC
correspond to the
ADEC ERP SiteID
KDD87. The SiteID will 8.4.2 SiteID ADEC
consist of three
digits
23 Version 1.6
Introduction
KDD88. If the actual SiteID 8.4.2 SiteID ADEC

is less than three
digits then a
leading zero will
be added to the
SiteID to remain
consistent with the
two digits SiteID
rule.
KDD89. The Distribution 8.4.3 Distribution Frame Type ADEC
Frame (DF) type
will be represented
in the naming
convention using a
single character
KDD90. The DF No. will 8.4.4 Distribution Frame Number ADEC
consist of two
digits
KDD91. If the actual DF 8.4.4 Distribution Frame Number ADEC
No. is less than
two digits then a
leading zero will
be added to the DF
No. to remain
consistent with the
two digits DF No.
rule.
KDD92. The Device Role 8.4.5 Device Role ADEC
field in the naming
convention will
indicate the role of
the device in the
school site
network
infrastructure
KDD93. The Device 8.4.6 Device Iteration ADEC
Iteration field in
the naming
convention will
consist of three
digits
KDD94. The first unique 8.4.6 Device Iteration ADEC
device in each
Distribution Frame
occupies the
number 001 with
the second device
numbered as 002
24 Version 1.6
Introduction
KDD95. The labelling 8.5 Labelling Convention Cisco

convention will
follow the host
naming
convention with
the addition of the
stack member
number.
KDD96. All physical ports 8.6.1 Physical Port Descriptions Cisco
will be configured
with a description
KDD97. All Switch Virtual 8.6.2 Switch Virtual Interface (SVI) Descriptions Cisco
Interfaces (SVI)
will be configured
with a description
KDD98. All port channels 8.6.3 PortChannel Interface Descriptions Cisco
will be configured
with a description
KDD99. IP BASE SSH will 8.7 Software Requirements Cisco
be used for the
Cisco Catalyst
4507R-E
KDD100.IP Base Image will 8.7 Software Requirements Cisco
be used for Cisco
Catalyst C3850-F-S
KDD101.All Schools will 9 ADEC
follow the same Network Design
logical design
KDD102.A Variable Length 9.4 IP Addressing ADEC
Subnet Mask
(VLSM) will be
used to subnet the
10.0.0.0 address
space to provide a
maximum of 1024
subnets
KDD103.A /18 IP address 9.4.1 ADEC Address Allocation ADEC
space will be
assigned to each
school
KDD104.All Access 9.5 Infrastructure Routing Cisco
Switches will be
configured as
Layer 2 only
KDD105.The Core Switch 9.5 Infrastructure Routing Cisco
will act as a
default gateway
for each VLAN, as
well as provide
and control
routing between
VLANs, and
routing to the Data
Centre
25 Version 1.6
Introduction
KDD106.Each VLAN will 9.5 Infrastructure Routing Cisco

have a Layer 3
VLAN interface
configured on the
Core Switch
KDD107.The Core Switch 9.5 Infrastructure Routing Cisco
and Access Switch
will both use a
static default route
KDD108.The default route 9.5 Infrastructure Routing Cisco
on the Core Switch
will point towards
the WAN Router
KDD109.The default route 9.5 Infrastructure Routing Cisco
on the Access
Switches will point
to the management
SVI IP address
configured on the
Core Switch
KDD110.IP routing will be 9.5 Infrastructure Routing Cisco
enabled on both
the Core Switch
and the Access
Switches
KDD111.There will be 1 x 1 99.1 ADEC
Gbps connectivity Network Design
between the Core
Switch and the
WAN Router
KDD112.There will be 4 x 1 9.1 Cisco
between the Core
Switch(4507R-E)
and WLC
between the
Access Switch
(standalone or
stack) and the
Core Switch
between the
Access Switch
(Stack origin) and
Access Switch
(Stack Extention)
Switch in case of
having more than
4 StackWise switch
stack.
26 Version 1.6
Introduction

between each
Wireless Access
Point and an
Access Switch
KDD116.All links between 9.1 Cisco
the Access Switch Network Design
and Core Switch
will be configured
as trunks
KDD117.All links between 9.1 Cisco
the WLC and the Network Design
Core Switch will
be configured as
trunks
KDD118.All trunks will be 9.1 Cisco
Layer 2 trunks Network Design
KDD119.All trunks will be 9.1 Cisco
configured as Network Design
Etherchannels
KDD120.The link between 9.1 Cisco
the Core Switch Network Design
and the WAN
Router is a Layer 3
link
KDD121.Storm Control will 9.6.2 Storm Control Cisco
be configured on
the Access
Switches only
KDD122.Storm Control 9.6.2 Storm Control ADEC
configuration will
only be used on
the Access Ports of
the Access Switch
which connect to
the physical ports
assigned to data
VLANs
KDD123.DHCP Snooping 9.6.3 DHCP Snooping ADEC
will be used to
protect against
rogue server
attacks
will be used to
protect against
DHCP scope
exhaustion attacks
will be configured
on the Access
Switches
27 Version 1.6
Introduction

will be enabled
globally on the
Access Switch
will be configured
on the client
VLANs
will not be
configured on the
Access Point
VLAN
KDD129.The Access Switch 9.6.3 DHCP Snooping Cisco
uplinks to the Core
Switch will be
configured as
trusted interfaces
KDD130.All Access Switch 9.6.3 DHCP Snooping Cisco
Access Ports
connecting to
clients will be
configured as
untrusted ports
KDD131.IP Source Guard 9.6.4 IP Source Guard ADEC
feature will be
applied on the
Access Switches
KDD132.Dynamic ARP 9.6.5 Dynamic ARP inspection ADEC
inspection will be
deployed in the
Access Layer only
KDD133.Port security will 9.6.6 Port security ADEC
be deployed on
Access Ports as
well as ports with
an auxiliary
(Voice) VLAN
KDD134.Three MAC 9.6.6 Port security ADEC
addresses per
Access Port will
be allowed to
enable an IP phone
to be connected to
the secure port
KDD135.A single MAC 9.6.6 Port security ADEC
address will be
allowed per Access
Point port.
KDD136.Automatic error 9.6.6 Port security ADEC
disable recovery
mechanisms will
not be enabled
28 Version 1.6
Introduction
KDD137.The native VLAN 9.6.7.3 Double Encapsulated 802.1Q Nested Attack Cisco
will not be cleared
from the list of
VLANs allowed
across the trunk
will not be used on
Access Ports
traffic will be
tagged as it crosses
the trunks between
the switches
KDD140.VLAN tagging will 9.6.7.3 Double Encapsulated 802.1Q Nested Attack Cisco
be configured on
the Core Switch
and Access
Switches globally
KDD141.Native VLAN 9.6.7.3 Double Encapsulated 802.1Q Nested Attack Cisco
tagging on the
trunk port
between the Core
Switch and the
WLC will be
disabled
KDD142.End user devices 9.7.1 DHCP ADEC
will receive IP
addresses via a
DHCP running on
the Core Switch in
the school site
KDD143.The DHCP relay 9.7.2 DHCP Relay Cisco
agent will not be
enabled on the
Core Switch,
switch virtual
interfaces
KDD144.The Core Switch 9.7.3 DHCP for the APs ADEC
will provide
DHCP services for
the wireless Access
Points
KDD145.The Data Centre 9.7.5 NTP ADEC
will synchronize
itself with a
reliable time
source from an
externally hosted
(non-ADEC) NTP
server
KDD146.The NTP time 9.7.5 NTP ADEC
source in the
ADEC HQ Data
Centre will have a
stratum level of 3
29 Version 1.6
Introduction
KDD147.The Core Switches 9.7.5 NTP ADEC

in the school sites
will peer with
ADEC HQ Data
Centre NTP server
KDD148.The Core Switch 9.7.5 NTP ADEC
will have a
stratum level of 4
KDD149.The school site 9.7.5 NTP ADEC
Access Switches
will peer with the
school site Core
Switch
KDD150.The Access 9.7.5 NTP ADEC
Switches will have
a stratum level of 5
KDD151.All trunks will be 9.8.1 Trunking Cisco
configured as
802.1Q trunks
KDD152.Only required 9.8.1.2 Allowed VLANs on a trunk Cisco
VLANs will be
allowed onto the
trunks, all other
VLANs will be
removed
KDD153.Etherchannel 9.8.2.1 Etherchannel Numbering Cisco
number 10 will be
reserved for the
Etherchannel
between the
4507R-E and WLC
number 11-20
reserved for the
Etherchannel
between the
4507R-E and
C3850-F-S
number 10
reserved for the
Etherchannel
between the
C3850-F-S and
C3850-F-S in case
of having more
than 4 Stack Wise
switch stack.
30 Version 1.6
Introduction
KDD156.LACP will be used 9.8.2.2 Etherchannel between Core Switch and Cisco
in the
Etherchannels
between the
4507R-E and the
C3850-F-S and
between C3850-F-S
and the C3850-F-S
stac Extention in
case of having
more than 4
StackWise switch
stack.
KDD157.The Etherchannel 9.8.2.3 Etherchannel between Access Switch (stack origin) Cisco
between the Core and Access Switch (Stack Extention)
Switch and the An Etherchannel will be provisioned between the
WLC will be Access Switch (Stack Origin) and Access Switch
configured in the (Stack Extention).
“on” mode
The etherchannel will consist of two x 1 Gbps links.
LACP will be used in the Etherchannels as PAgP

does not support cross-stack EtherChannels.. This
is a limitation with the PAgP implementation in
IOS.

Note Cisco IOS software creates port-channel interfaces for Layer 2 E
configure Layer 2 Ethernet interfaces with the channel-group comm
Etherchannel between Core Switch and WLC

KDD158.Etherchannel 9.8.2.5 Etherchannel Guard Cisco
Guard will be
enabled.
KDD159.All Access Ports 9.8.3 Access Port Cisco
will be configured
with static mode
access
KDD160.All Access Ports 9.8.3 Access Port Cisco
will be configured
with spanning tree
port fast
KDD161.The Data/Voice 9.8.3 Access Port Cisco
ports will be
configured with a
Data VLAN and
Voice VLAN
KDD162.All CCTV Access 9.8.3 Access Port Cisco
Ports will be
configured with a
single VLAN per
school site
31 Version 1.6
Introduction
KDD163.The Wireless 9.8.3 Access Port Cisco

Access Point ports
will be configured
with a single
VLAN per school
site
KDD164.The network 9.8.4 VTP ADEC
devices will be
configured with
VTP mode
transparent
KDD165.Rapid PVST+ will 9.8.5 Spanning Tree Cisco
be used
KDD166.The Core Switch 9.8.5.1 VLAN Stability Cisco
will act as the root
for all the VLANs
KDD167.All Access Ports 9.8.5.2 PortFast Cisco
will be configured
with spanning-tree
portfast
KDD168.BPDU Guard will 9.8.5.3 Bridge Protocol Data Unit (BPDU) Guard Cisco
be used only on
access-switches
KDD169.The LoopGuard 9.8.5.4 LoopGuard Cisco
feature will be
enabled on the
root ports
KDD170.UDLD will be 9.8.5.5 UniDirectional Link Detection (UDLD) Cisco
enabled in
aggressive mode
KDD171.Services not 9.9.5 Disable Unneeded Services Cisco
required will be
disabled
KDD172.TCP keepalives 9.9.6.1 Enable TCP Keepalive Feature Cisco
will be enabled
KDD173.The TCP synwait 9.9.6.2 TCP Synwait Cisco
time will be set to
10 seconds
KDD174.The Nagle service 9.9.10 Cisco
will be enabled
Service Nagle
KDD175.The latest software 10.2 Wireless Software Cisco
release 6.0.199.0
will be configured
on the WLC.
KDD176.The 802.11a radio 10.3.2.1 IEEE 802.11a ADEC
is disabled in the
WLC
KDD177.Channel bindings 10.3.2.2 IEEE 802.11g Cisco
will not be
provisioned for
802.11g/n mode
32 Version 1.6
Introduction
KDD178.The physical 10.4.2 Access Point Location and Installation Cisco

locations for
Wireless Access
Points will be
determined by a
verified Site
Survey
KDD179.The Supervisor 8.2.2.1 Cisco Catalyst 4507R-E Slot Allocation Cisco
Engine will be
placed in slot 3 of
the Core Switch
KDD180.The line cards will 8.2.2.1 Cisco Catalyst 4507R-E Slot Allocation Cisco
be installed into
slots 1 and 2 of the
Core Switch
KDD181.Access Points will 10.5.1 Access Layer Switch Port Requirements Cisco
be connected only
to untagged (i.e.,
non-trunk) ports
on the Access
Switch
KDD182.The DHCP Server 10.5.2 DHCP Server Requirements ADEC
will be configured
to return WLAN
Controller
Management
Interface IP
addresses based
on the AP’s
Vendor Class
Identifier (VCI)
KDD183.The DHCP Lease 10.5.2 DHCP Server Requirements ADEC
Time will be
configured as 7
days on the Core
Switch (Primary
DHCP Server) for
wired and wireless
clients
KDD184.The DHCP Lease 10.5.2 DHCP Server Requirements ADEC
Time will be
configured as 8
hours on the WLC
(Secondary DHCP
Server) for
wireless clients
KDD185.Access Switches 10.5.3 Electrical Power ADEC
supporting PoE+
will be used to
provide inline
power to the
Access Points
33 Version 1.6
Introduction
KDD186.In the ADEC 10.6.2 CAPWAP Transport Mode Cisco

school site
deployment, the
Wireless APs and
Wireless LAN
Controller will be
connected using
different IP
subnets
KDD187.Dynamic power 10.6.4.1 Radio Transmit Power and Channel Assignment Cisco
and channel will
be used during the
AP deployment.
KDD188.Critical areas in 10.6.5.2 Access Point Redundancy ADEC
school sites have
been defined by
ADEC, where
sufficient AP
overlap will be
provisioned to
provide RF
coverage in case of
an AP failure
KDD189.In the ADEC 10.6.6.1 Data Clients ADEC
school site
implementation,
Staff and Student
users will be using
username/passwo
rd credentials in
the Captive Portal
along with
WPA/WPA2
encryption to
connect to the
wireless
infrastructure
KDD190.Guest users will 10.6.6.1 Data Clients ADEC
only have internet
connectivity via
Captive Portal
KDD191.The WLC will be 10.7.1 Peer-to-peer blocking ADEC
configured to
block
communication
between clients on
the same WLAN
KDD192.The WLC 10.7.2 Wireless Intrusion Detection System (IDS) ADEC
performs wireless
LAN IDS analysis
using all the
connected APs,
and reports
detected attacks on
to WLC
34 Version 1.6
Introduction
KDD193.Client Exclusion 10.7.3 Client exclusion ADEC

will be enabled in
the WLC for all the
SSIDs
KDD194.ADEC will 10.7.4 Rogue AP detection ADEC
manually contain
the APs classified
as Rogue using the
WLC
KDD195.All clients will get 10.9.3 Client IP Addresses ADEC
their IP addresses
from either the
Primary or
Secondary DHCP
server
KDD196.The wireless LAN 10.9.3 Client IP Addresses ADEC
controller will be
used as a
secondary DHCP
server for wireless
clients only
KDD197.The lease time in 10.9.3 Client IP Addresses ADEC
the WLC will be
configured for 8
hours
KDD198.Over the Air 10.9.4 WLC General Parameters ADEC
Provisioning will
be disabled
KDD199.Aggressive Load 10.9.4 WLC General Parameters Cisco
Balancing will be
disabled
KDD200.LAG Mode will be 10.9.4 WLC General Parameters Cisco
enabled to form an
Etherchannel with
the Core Switch
KDD201.LWAPP mode will 10.9.4 WLC General Parameters Cisco
be configured for
L3
KDD202.Multicast will be 10.9.4 WLC General Parameters ADEC
disabled on the
wireless network
KDD203.ADEC will be used 10.9.4 WLC General Parameters ADEC
as the RF Network
Name across all
the schools
KDD204.Network access for 9.2 VLAN ADEC
third-party
suppliers will be
provided via the
“Guest” WLAN
only.
35 Version 1.6
Introduction
KDD205.All physical 9.2 VLAN ADEC

network points in
the administration
block/building
will be assigned to
the “Admin”
VLAN. All other
school site
locations
(classrooms, Music
rooms, laboratory
etc) with the
exception of ICT
Labs (ICT Labs
VLAN) and
Library (Library
VLAN), will be
assigned to the
“Teachers” VLAN.
KDD206.The link 9.4.3 IP Scheme ADEC
addressing
between the Core
Switch and the
WAN Router will
be allocated from
the /18 IP address
range allocated to
each school
KDD207.The link between 9.4.3 IP Scheme Cisco
the Core Switch
and the WAN
Router will be
addressed with a
/30 subnet
KDD208.The link 9.4.3 IP Scheme Cisco
addressing /30
will be the last /30
available in the
/18 address space
allocated to each
school
KDD209.The Core Switch at 8.3.1.1 Core Switch to WLC ADEC
each school has 2
SFP line cards
KDD210.The Core Switch 8.3.1.1 Core Switch to WLC Cisco
and the WLC will
be connected using
4 x 1 Gbps
Ethernet ports
36 Version 1.6
Introduction
KDD211.The 4 x 1 Gbps 8.3.1.1 Core Switch to WLC Cisco

ports connecting
the Core Switch to
the WLC will be
spread across two
line cards to avoid
a single point of
failure
KDD212.The first available 9.4.3 IP Scheme Cisco
IP in the /30 will
be assigned to the
WAN Router and
the second
available IP
address will be
allocated to the
Core Switch
KDD213.A policing action 9.6.1.4 Catalyst 4507R-E Control Plane Policing Cisco
will be used in the
system predefined
and user defined
traffic classes to
protect the CPU
KDD214.Additional class 9.6.1.4 Catalyst 4507R-E Control Plane Policing Cisco
maps will be
configured which
are specific to the
ADEC network to
protect against any
malicious users
attempting to
overload the CPU
KDD215.The additional 9.6.1.4 Catalyst 4507R-E Control Plane Policing Cisco
Class Maps will
classify and police
the following
traffic. SSH,
SNMP, ICMP, IP
Fragments and
TFTP
KDD216.The switch port 9.8.6 Speed and Duplex Setting Cisco
speed and duplex
will be left to the
default values of
auto negotiate
KDD217.Portfast will be 10.5.1 Access Layer Switch Port Requirements Cisco
enabled on the
Access Switch
ports
KDD218.Layer 3 CAPWAP 10.6.2 CAPWAP Transport Mode Cisco
transport mode
will be deployed
37 Version 1.6
Introduction
KDD219.The WLC will be 10.9.2 WLC IP Addresses on the Dynamic VLANs Cisco
configured with IP
address on each
VLANs subnet.
KDD220.“AP-manager” is 10.9.5 WLC Interfaces Cisco
the first IP address
used for
interfacing to the
AP
KDD221.“management” is 10.9.5 WLC Interfaces Cisco
the in-band
management
interface
KDD222.“Service-port” The 10.9.5 WLC Interfaces Cisco
Service-port
interface is
reserved for out-
of-band
management of the
Wireless LAN
Controller and
system recovery
and maintenance
in the event of a
network failure.
KDD223.Virtual interface is 10.9.5 WLC Interfaces Cisco
configured
identically on all
WLAN controllers
which are part of
the same mobility
group. The virtual
interface is used
for DHCP relay,
Mobility
management and
Layer 3 security
(WEB
authentication)
features
KDD224.Access Point 8.3.1.7 Access Switch to Host Connectivity ADEC
switch ports shall
be allocated across
switches within an
Access Switch
Stack
KDD225.In the ADEC 10.1Wireless Network Design Overview Cisco
deployment,
CAPWAP will be
used for the
communication
between the
Wireless LAN
Controller and the
access points.
38 Version 1.6
Introduction
KDD226.802.11g radio will 10.3.2.2 IEEE 802.11g Cisco

be used in ADEC
deployment.
KDD227.802.11n radio will 10.3.2.3IEEE 802.11n Cisco

be used in ADEC
deployment.
KDD228.The Cisco Aironet 10.4.1 Access Points and Antennas Cisco
1260 a/g/n Access
Point will be used
in partially open
areas
KDD229.External a/g/n 10.4.1 Access Points and Antennas Cisco
antennas will be
installed on the
1260 Access Points
KDD230.The Access Points 10.4.2 Access Point Location and Installation Cisco
will be mounted
below the
suspended ceiling.
KDD231.Critical Admin 10.6.5.2 Access Point Redundancy Cisco
areas within each
school site have
been defined by
ADEC where
sufficient AP
overlap will be
provisioned to
provide RF
coverage in case of
an AP failure.
KDD232.The ADEC data 10.6.6 Wireless Client Security Cisco

security policy
requires that
wireless network
access has Open
authentication and
strong levels of
standards-based
encryption. ADEC
will have WPA
and WPA2
compliant Staff
and Student users
on their wireless
network. Guest
users will use
Captive Portal to
connect to the
Intranet.
39 Version 1.6
Introduction
KDD233.Users with full 10.8 Network Management Cisco

privileged access
to the WLC will
use the
“Loginwlc”
username, whereas
Lobby
Ambassadors,
users that have
limited privileges
and are only able
to create
usernames and
passwords will use
the “Operator”
username.
40 Version 1.6
Introduction
6.5 Design Exceptions and Known Gaps

Table 4 Design Exceptions and Known Gaps
DEG Description Reference

KEG01. There is no AAA configured on any of the 9.9.7.3 Local Authentication
solution components
KEG02. There is no central AAA server 9.9.7.3 Local Authentication
KEG03. There is no central management server (Wireless 10.8 Network Management
Control System) for the Wireless LAN Controllers
KEG04. There is a single Supervisor Engineer in the Core BoD V1.92
Switch.
KEG05. There is a single Wireless LAN Controller per 10.6.5 Redundancy and AP Load
school Balancing
KEG06. 802.1x Authentication excluded due to BoD V1.92
unavailability of local LDAP server.
KEG07. 802.11a will be disabled 10.3.2.1 IEEE 802.11a
KEG08. SSH timeout for infrastructure will be set to the 9.9.7.6 Configuring SSH
maximum 120 seconds as 5 minutes is not
supported.
KEG09. No RF coverage will be provisioned in the BoD V1.92
washroom and playground.
KEG10. There is no Syslog server 9.9.3.2 Buffered Logging
KEG11. Cisco Catalyst 3850-F-S Power Stacks are limited 8.2.3.4 Power Stack
to no more than 4 Cisco switches
KEG12. The solution shall not log information to a 9.9.3.2 Buffered Logging
centralised Syslog for Release 1.
KEG13. Logging of login attempts will be done locally 9.9.3.4 Logging Login Success and
Failure Attempts
KEG14. Cisco recommends ADEC to use industry 10.6.6 Wireless Client Security
standard PEAP MSCHAPv2 authentication for
Staff and Student users
KEG15. The Cisco Catalyst 3850-F-S C3KX-PWR- 8.2.3.1 Cisco Catalyst 3850-F-S
1100WAC power supply is capable of providing Power Supply and PoE
no more than 800W of POE.
KEG16. The DHCP service for the school site is hosted on 10.9.3 Client IP Addresses
the school site Core Switch. Currently no
centralised DHCP solution is available in the
ADEC HQ Data Centre.
KEG17. No TFTP server will be used to store the DHCP 9.6.3.3 DHCP Snooping
bindings Configuration guidelines
KEG18. No QoS will be configured for the Voice VLAN as 9.3 Voice VLAN
it is currently out of scope
KEG19. No Voice (IPT) testing will be carried out as part 9.3 Voice VLAN
of the implementation
KEG20. Due to the number of IP addresses excluded from 9.4.2 IP Address Exclusions
allocation the 10/8 address range will cover
approx 740 schools.
KEG21. Cisco Catalyst Switches are not susceptible to 6.3.2 Out of scope
Random Frame or Multicast Brute Force Attacks
KEG22. The network devices will not be configured to 9.9.2 Simple Network
send SNMP traps Management Protocol
41 Version 1.6
Introduction
6.6 Assumptions & Caveats

There are several assumptions and caveats associated with any network deployment. The major
concerns for this deployment are summarized below:
 The reader is reasonably technically competent in basic IP networking environment. The

reader should also have some basic understanding of Cisco products – both hardware &
software.
 The reader of this document is assumed to have a basic understanding of standard Cisco
Unified Wireless Network solution design and implementation concepts. This basic
familiarity can be attained through product training, and review of product documentation.
 This deployment utilizes IEEE 802.11 g/n technology which operates in the unlicensed band.
The unlicensed spectrum is very attractive in that there are no required licensing fees -- this
leads to simplified, and low cost deployment. However, there are no restrictions on the types
of devices that operate in these bands. When using this technology, you should be aware of
the potential performance degradation associated with ambient interference. The use of
unlicensed radio frequency spectrum does not guarantee protection from interference which
may degrade performance of the wireless network. This risk will be somewhat mitigated
through the use of dynamic RF management features of the Cisco Unified Wireless Network
solution.
 Technologies and approaches to installation of the wireless network for ADEC, as described
in this document, are approved and will be implemented in the ADEC network.
6.7 Related Documents

[1] BOD-ADEC-V1-92.pdf
[2] ADEC Documentation Standards
6.8 References
[REF-1] Cisco Product Documentation
http://www.cisco.com/univercd/cc/td/doc/product/index.htm
[REF-2] Campus Network for High Availability Design Guide

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns431/c649/ccmigration_09186a008093b876.pdf
[REF-3] Cisco Wireless LAN Controller 5508:

http://www.cisco.com/en/US/products/ps10315/index.html
[REF-4] Cisco Aironet 1140 a/g/n Series Access Point:

[REF-5] Cisco Aironet 1260 a/g/n Series Access Point:

[REF-6] Cisco Catalyst Cabling Considerations

http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/hardware/installation/guide/HIGINSTL.html
[REF-7] Cisco StackWise Technology White Paper
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/deployment_guide_c07-
727067.html#wp9000342
[REF-8] Configuring SNMP Notifications 3850
http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/network_managem
ent/configuration_guide/b_nm_32se_3850_cg_chapter_0100.html
[REF-9] Configuring SNMP Notifications 4507R-E
42 Version 1.6
Introduction
http://www.cisco.com/en/US/docs/switches/lan/catalyst4507R-
E/12.2/53SG/configuration/snmp.html#wp1043530
[REF-10] Release notes for the 4507R-E

http://www.cisco.com/en/US/docs/switches/lan/catalyst4507R-E/release/note/OL_5184.html
[REF-11] Release notes for the 3850

http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/release_notes/OL2
8114.html
[REF-12] Release Notes for Cisco IOS Release 15.0M
http://www.cisco.com/en/US/docs/ios/15_0/release/notes/150MREQS.html
[REF-13] Cisco Service Ready Architecture

http://www.cisco.com/en/US/docs/solutions/Enterprise/Education/SchoolsSRA_DG/School
sSRA_DG.pdf
6.9 Project Contact List

Listed in this section are the primary contacts involved in or contacted during the creation of this
document.
6.9.1 ADEC
Table 5 ADEC Contacts
Name Title Telephone Email

Mohammad Younes Information Technology +971 2 6150000 myounes@adec.ac.ae
Yousef Alreyami PMO Section Manager +971 2 6150 848 yousef.alreyami@adec.ac.ae
Lamis Ali Al Shamisi Project Manager +971 2 6150 882 Lamis.alshamisi@adec.ac.ae
Shueib Eltigani Medani Project Manager +971 2 6150 417 Shueib.medani@adec.ac.ae
6.9.2 Cisco Systems Advanced Services

Table 6 Cisco Contacts
Name Title Telephone Email

Khaled Esseibi UAE Delivery Manager +971 4 360 4345 kesseibi@cisco.com
Gaby El Amil PM COE Team Lead +971 4 427 5273 gelamil@cisco.com
Ranya Elfil AS Project Manager +971 4 427 5270 relfil@cisco.com
Zarar Ismail Solutions Architect +971 4 390 7940 zismail@cisco.com
Chady Saad Network Consulting Engineer +971 4 448 5556 csaad@cisco.com
Abdulfattah Abdulateef Network Consulting Engineer +962 79 9000652 abdeabdu@cisco.com
43 Version 1.6
7. Network Overview
Abu Dhabi Education Council (ADEC) seeks to develop educational institutions in the Emirate of
Abu Dhabi by implementing innovative educational policies, plans and programs that aim to
improve education, and support educational institutions and staff to achieve the objectives of
national development in accordance with the highest international standards.
ADEC is in the process of implementing a network infrastructure for all the schools in the
emirate of Abu Dhabi to make them capable of accommodating the tools and applications that
will allow for more interactive and productive learning in line with ADEC’s strategic plans.
The ADEC wired and wireless network infrastructure will allow users to communicate and will
provide ADEC the platform to deliver rich services to all schools seamlessly. ADEC will use the
network to share applications such as:
 ERP
 ESIS
 GIS
 Library
 SharePoint
This document covers only IP network and wireless infrastructure design.
7.1 Network Layout

The ADEC network design follows a standard two-tier model using the tiers below:
 Core-Distribution (collapsed core)

 Access Layers
There are approximately 300 schools for which ADEC are responsible that are to be
interconnected with the ADEC Head Quarters Data Centre. All schools will be implemented
following a single network infrastructure model. The network infrastructure in each school will
consist of:
 Cisco Integrated Service Router (ISR) 2911WAN Router,
 Cisco Catalyst 4507R-E as Core-Distribution Switch
 Cisco Catalyst C3850-F-S Switches as Access switches
The Cisco Catalyst C3850-F-S switches can be implemented as either standalone or stacked or
daisy chain stacked in caseof having more than 4 switches in one IDF, depending on port
requirement of the school site.
Access Switch connectivity to the Core Switch, whether it is a standalone or switch within a
StackWise stack will have dual 1 Gbps uplinks to the Core-Distribution joined in an
Etherchannel.
44 Version 1.6
Network Overview
Access Switch connectivity to stacked wise stack switches, in case of daisy chain setup, when
more than 4 switches exist in one IDF, dual 1 Gbps uplinks to the first Stack joined in an
Etherchannel.
All the schools will be interconnected via an IPCONNECT Etisalat service, which is a Virtual
Private Network (VPN) interconnection over the Etisalat Multiprotocol Label Switching (MPLS)
backbone.
The Cisco ISR 2911 WAN Router will be installed and configured to provide WAN connectivity
as part of the Etisalat Managed Router WAN (MRWAN) service.
In addition to network infrastructure detailed above, there will be Wireless Access Points and a
Wireless LAN Controller in each school to provide wireless network coverage. The Wireless
Access Points will be connected to the Access Switches and the Wireless LAN Controller will be
connected to the Core Switch.
The hardware selected for the ADEC School Site implementation is aligned with the Cisco
Service Ready Architecture (SRA) for Schools framework [REF-13].
Figure 1 Sample School network
Figure 2 Sample Topology Diagram of the overall network
School services
C3850-F-S WLC5508 MS Virtual server
Etisalat
IPCONNECT
APs C3850-F-S Si
service
WAE 694 Etisalat
4507R-E router
C3850-F-S
LAB School
45 Version 1.6
Network Overview
7.2 Design Considerations

The following design principles have been considered in the preparation of this design of ADEC
schools.
1. Scalability
2. Reliability
3. Availability
4. Manageability
5. Security
6. Performance
7. Network Stability

Note When design principles above are not optimal specific notes are highlighted
46 Version 1.6
8. Physical Network Design
8.1 Physical Location of Equipment

The ADEC Data Centre is located at the ADEC Head Quarters in Abu Dhabi. The schools are
located at various locations across the emirate of Abu Dhabi.
The network and wireless infrastructure for all the school site implementations will follow the
same basic physical network design. However, the number of Access Switches will vary based on
the school size. Where data port requirements for a specific school site exceeds one Access
Switch for the same Virtual Local Area Network (VLAN), addiotnal Access Switches will be
installed and configured in a StackWise stack.
Some of the benefits of having the same physical architecture at each school include:
 Operational Simplicity
 Ease of Provisioning
 Reduced Complexity
Figure 3 Physical Diagram of a typical school
47 Version 1.6
Physical Network Design
8.2 Network Hardware Components

From an infrastructure perspective, the network consists of a Data Centre and the individual
school network. All the school networks connect to the Data Centre located in the ADEC Head
Quartes in Abu Dhabi.
Every school will have the following equipment:
 Cisco Integrated Services Router (ISR) 2911

 Cisco Catalyst 4507R-E
 Cisco Catalyst C3850-F-S (Standalone or Switch Stacks)
The Cisco ISR 2911 is installed to provide network routing to the Wide Area Network (WAN).
The Cisco ISR 2911 WAN Router will connect to the ADEC Data Centre through the Etisalat
MPLS network on one side and will connect to the Core Switch in the school site network on the
other side.
The Cisco Catalyst 4507R-E will be installed as a Core-Distribution switch in the school site
network.
The Cisco Catalyst C3850-F-S will act as the Access Layer switch.
8.2.1 Cisco ISR 2911

The Cisco ISR 2911 WAN Router will be installed in every school by Etisalat as part of the
Managed Router WAN services.
The WAN Router will connect the Core Switch to the Etisalat IP Connect Service. The WAN
Router will be part of the Etisalat network and will be designed, configured, installed and
managed by Etisalat.
The link addressing between the Core Switch and the WAN Router will be allocated from the /18
IP address range allocated to each school.
The link between the Core Switch and the WAN Router will be addressed with a /30 subnet.
The link addressing /30 will be the last /30 available in the /18 address space allocated to each
school.
The Cisco ISR 2911 WAN Router will connect to the Core Switch with a 1 Gbps connection.
8.2.2 Cisco Catalyst 4507R-E

The Cisco Catalyst 4507R-E is the platform selected to act as the Core Switch in each school site.
The Cisco Catalyst 4507R-E was selected to meet the ADEC requirements, including those listed
below:
 High speed Core Switching backbone that is capable for supporting both 1 Gigabit per
Second (Gbps) Unshielded Twisted Pair (UTP) and Fiber as well as 10 Gbps with
redundant power supply and supported by latest technologies.
 The Core Switch shall support dual processing engines in the same hardware chassis for
redundancy
 The Core Switch shall be modular for capability to add Local Area Network (LAN)
modules in the future
48 Version 1.6
 The Core Switch shall be scalable to accommodate additional Access Layer switches in
the future, without the need for hardware upgrade to the Core Switch.
 The Core Switch shall be capable of supporting full redundancy by adding an additional
redundant Core Switch.
 The Core Switch must be capable of supporting different kinds of LAN interfaces,
including but not limited to UTP and Multi- Mode Fiber.
8.2.2.1 Cisco Catalyst 4507R-E Slot Allocation
The Cisco Catalyst 4507R-E line cards and Supervisor Engine will be installed into the Core Switch
as per the table below.
Slots 3 and 4 on the Cisco Catalyst 4507R-E switch are reserved for use by the Supervisor Engines.
Even if no Supervisor Engine is placed in these slots they cannot be used by line cards.
The remaining line cards can be placed in any of the remaining slots. The two WS-X4624-SFP-E
line cards will be placed in slots 1 and 2. This will provide ease of cable management and will
make it easier to add more line cards when required.
Table 7 Slot Allocation 4507R-E
Slot Module
1 WS-X4624-SFP-E
2 WS-X4624-SFP-E
3 WS-X45-SUP6L-E
4 Not Used
5 Not Used
6 Not Used
7 Not Used
8.2.3 Cisco Catalyst C3850-F-S(Standalone or Switch Stack)

The Cisco Catalyst C3850-F-S switch is the platform selected for the Access Switch in the school
sites.
The Cisco Catalyst C3850-F-S was chosen over other variants of the C3850 family such as the
C3850-F-L and C3850-F-E for the reasons outlined below:
 Power over Ethernet Plus (PoE+) support

 Gbps upgrade Path Support
 Field Replaceable Hot Swappable Uplink Modules
 StackPower capabilities
 IP Base software model
8.2.3.1 Cisco Catalyst C3850-F-S Power Supply and Power over Ethernet+
The Cisco Catalyst C3850-F-S will be using PWR-C1-1100WAC as its power supply. This power
supply is capable of providing 800W of power of POE to the Access Switch.
ADEC will use two different types of Access Points (APs) in their wireless network. They are the
Cisco Aironet Lightweight AP2602E (outdoor AP) and the Cisco Aironet Lightweight AP2602I
(indoor AP). Both of these APs draw 15.4W of power.
With one PWR-C1-1100WAC power supply in each switch 15.4W of power can be delivered to
all 48 ports if required.
49 Version 1.6
8.2.3.2 Stacking of Catalyst C3850-F-S
In large schools where the physical port density within a single IDF exceeds the 48 ports
provided by a single switch, Access Switches in the ADEC network will be “stacked”.
Cisco C3850 catalyst switch used the new StackWise-480 architecture which allows you to build a high-
speed stack ring with superior features and services scalability compared with StackWise Plus. Cisco
StackWise-480 technology provides scalability and resiliency with 480 Gbps of stack throughput
The switches are physically connected sequentially. A break in any one of the cables between the
switches within a stack will result in the stack bandwidth being reduced to half of its full
capacity. Sub second timing mechanisms detect traffic problems and immediately initiate
failover. This mechanism restores dual path flow when the timing mechanisms detect renewed
activity on the cable.
Stacking provides multiple benefits some of which have been included below:
 Providing simplified management using a single IP address

 Single SSH session
 Single command-line interface (CLI)
 Local switching
 the SSO capability - which is enabled by default when Cisco Catalyst 3850 Switches are deployed
in Cisco StackWise-480 mode
For further information regarding the Catalyst stack please see section 6.8.
8.2.3.3 StackWise
Cisco Catalyst C3850-F-S can support up to 4 switches in a Switch Stack, no more than 4 switches
will be configured in a single stack.
This is due to hardware limitation and the sharing of hardware resource such as MAC address
table size and stack bandwidth.
In ADEC school implimintation; there are some schools that have 5 or 6 switches in one IDF. In
this case the switch stack will be split into two stackes one with 4 and the other one with 1 or 2
based on the number of switch 5 or 6 respectivly. In such scenario ADEC will follow the Daisy
chain setup, by connecting the additional switches – the second stack to the first stake via the
uplink Module.
8.2.3.4 Power Stack

Currently, the power stack for a Switch Stack is limited to 4 Cisco switches.
This will mean each switch has the benefit of being able to fallback to using the power in another
switch should its own power supply fail.
50 Version 1.6
8.3 Network Topology
Figure 4 Typical School infrastructure layout
51 Version 1.6
The above topology indicates the components which will be contained within each school. Each
school will have the following components:
 Intermediate Distribution Frame (IDF)

 Main Distribution Frame (MDF)
 Cisco Catalyst C3850-F-S Access Switches
 Cisco Catalyst 4507R-E with 1 x Sup6 as the Core Switch
 Cisco ISR 2911 WAN Router
 Access Points located throughout the school site
 Access Points will be connected to Access Switches in the IDF
 MDF and IDF are connected via fiber connectivity
 In case of more than 4 switches IDF First stacked switch connected to the second Stacked
switches with via fiber connectivity.
 User Access Ports and Access Point connectivity is provided by UTP cables
 Access Switches will be stacked in the different IDFs or MDF
 The WLC will be located in the MDF
 The Access Points will be connected via 1 x 1 Gbps UTP links to the Access Switches
8.3.1 Network Connectivity

The following section explains how the equipment will be connected together. Where possible,
uplinks have been spread across multiple modules to remove a Single Point of Failure (SPoF).
8.3.1.1 Core Switch to WLC

The Core Switch at each school has 2 Small Form-factor Pluggable (SFP) line cards. The Core
Switch and the WLC will be connected using 4 x 1 Gbps Ethernet ports. The 4 x 1 Gbps ports will
be distributed across both line cards to avoid a single point of failure. The following ports will be
reserved at each site on the Core Switch for connectivity to the WLC.
Table 8 4507R-E to WLC Port Reservation
Slot Number 4507R-E Port WLC Port

1 1/7 Gig1
1 1/8 Gig2
2 2/7 Gig3
2 2/8 Gig4
8.3.1.2 Access Switch to Core Switch

The Access Switches will be deployed in three modes:
 Stacked
 Stand alone
 Stacked with Daisy chain
Stacked Switches
Each Access Switch stack with 4 stacked switches will be implemented with 2 uplink modules.
Each module has 4 ports. The modules will be installed into the switches at opposite ends of the
stack. For example, if there are three switches in the stack. The uplink modules will be installed
in the first and third switch.
The benefit of this approach is that a switch is always either directly connected to the Core Switch
or is at most two hops away, as in the case of a middle switch in a 5 switch stack.
The first port of each uplink module will be used to connect to the Core Switch. The table below
gives some example of how the uplink modules will be connected
52 Version 1.6
Table 9 3 Switch Stack Uplink Scheme
Switch Number Contains Uplink Module Port

1 Yes G1 (1/1/1)
2 No Not Used
3 Yes G1 (3/1/1)

1 Yes G1 (1/1/1)
2 No Not Used
3 No Not Used
4 Yes G1 (4/1/1)
Stacked Switches with Daisy Chain stacked Switches

Each IDF with 5 or 6 stacked switches will be split into 2 stacked the first one with 4 switch stack
and the second one with one or two switch stack , each stacked will be implemented with 2
uplink modules. Each module has 4 ports. The modules will be installed into the switches at
opposite ends of the stack. For example, if there are five switches in the stack. The first stack will
contain 4 switches and the second one will contains one switch. The uplink modules will be
installed in the first and forth switch in the 4 switches stack and one module will be added to the
stand alone the second stack switch.
The benefit of this approach is that a switch is always either directly connected to the Core Switch
or is at most two hops away, as in the case of having more than 4 switches In an IDF.
The first port of each uplink module on the first stack will be used to connect to the Core Switch.
The last port of each uplink module on the first stack will be used to connect to the first port of
each uplink module on the second stack.
The table below gives some example of how the uplink modules will be connected
Stack Switch Contains Port Towards Port Towards Second

Number Number Uplink Module Core switch Stack
1 1 Yes G1 (1/1/1) G1(1/1/4)
1 2 No Not Used Not Used
1 4 Yes G1 (4/1/1) G1(4/1/4)
Stack Switch Contains Port Towards

Port Towards First Stack
Number Number Uplink Module First Stack
2 1 Yes G1 (1/1/1) G1(1/1/4)
53 Version 1.6
Stack Switch Contains Port Towards Port Towards Second

Number Number Uplink Module Core switch Stack
1 1 Yes G1 (1/1/1) G1(1/1/4)
1 4 Yes G1 (4/1/1) G1(4/1/4)
Stack Switch Contains Port Towards

Port Towards First Stack
Number Number Uplink Module First Stack
2 1 Yes G1 (1/1/1) N/A
2 2 Yes G1 (2/1/1) N/A
Stand Alone Switches
Stand alone switches come with a single uplink module. The first two ports of the module will
be used as the uplink ports.
The table below shows how the ports are reserved.
Table 13 Standalone Uplink Scheme

1 Yes G1 (1/1/1)
1 G2 (1/1/2)
8.3.1.3 Access Switch Uplink Redundancy

Each stack or standalone Access Switch will have two uplinks configured as an Etherchannel.
On the Core Switch side of the Etherchannel the Etherchannel member ports will be distributed
over the two line cards for redundancy purposes.
The tables below depict how the Access Switch uplinks will be distributed on the Core Switch.
Table 14 Core Switch - Access Switch Etherchannel uplink scheme Switch 1
Standalone Access Switch Core Switch Ports

1 Site 1
1/1/1 1/11
1/1/2 2/11

2 Site 1
1/1/1 1/12
1/1/2 2/12
54 Version 1.6

3 Site 1
1/1/1 1/13
1/1/2 2/13
In Daisy chain setup, Second switch stack will have two uplink configured as an Etherchannel.
On both sides the first and second stack switch the Etherchannel member ports will be
distributed over the two uplink module for redundancy purposes.
The tables below depict how the second switch stack uplinks will be distributed on the first
switch stack uplinks.
Table 17 second switch stack uplink - first stack switch Etherchannel uplink scheme Switch 5
Second stack switch First Stack switch Access

Access Switch 1 switch 4
1/1/1 1/1/4
1/1/4 4/1/4
Table 18 second switch stack uplink - first stack switch Etherchannel uplink scheme Switch 6
Second stack switch First Stack switch Access

Access Switch 2 switch 4
1/1/1 1/1/4
2/1/1 4/1/4
8.3.1.4 Core Switch to WAN Router

Each Core Switch will connect to the WAN Router using a single Gbps port.
Table 19 Core Switch - WAN Router Port Reservation
Slot Number Core Switch Ports

1 1/1
8.3.1.5 Core Switch Port Reservations

Port reservations on the Core Switch line cards will be allocated to support current and
anticipated future connectivity requirements within the school site.
The table below depicts the Core Switch port reservations for the line cards in slot 1 and 2.
55 Version 1.6
Table 20 Core Switch – Slot 1 & 2 Port Reservations
Port Reservation Reason

1 WAN Router
2 IPT Router
3 Core Infrastructure
7 Wireless LAN Controller
11 Switch Stack Connectivity
21 Server Connectivity
8.3.1.6 Core Switch Port Oversubscription

The WS-X4624-SFP-E line has 24 Gbps of bandwidth to the packet processor engine on the
Supervisor Engine. The WS-X4624-SFP-E line card has 24 x 1 Gbps ports. There is no
oversubscription for any of the 1 Gbps ports on the WS-X4624-SFP-E line card.
8.3.1.7 Access Switch to Host Connectivity

All Access Ports on Access Switch Stacks shall be allocated sequentially to hosts. For example all
physical port connections to the “Teachers” VLAN will be connected sequentially. This is done
for operational benefits and ease of cable management.
No spare ports will be left between the different user types. Any spare ports on an Access Switch
Stack shall be allocated at the end of the last switch in the stack.
Access Point switch ports shall be allocated across switches within an Access Switch Stack.
8.4 Naming Convention

The ADEC defined naming convention will be adhered to, and will be used to define and
configure hostnames for all devices in the ADEC network.
Using the naming convention, device administrators can identify whether the site is a school, the
site id, the distribution frame type, the distribution number, the device role and the device
iteration. Being able to determine this information by reading the hostname provides operational
benefits such as troubleshooting, device location and user provisioning.
The guideline for naming the devices is:
56 Version 1.6
<Site Type><SiteID><-><DF Type><DF No.><-><Device Role><Device Iteration>
Further details regarding the naming convention fields are detailed in the following sections.
8.4.1 Site Type

The Site Type designator indicates the type of site. The table below depicts the types of sites
which exist in the ADEC network.
Table 21 Site Type Abbreviations
Site Type Abbreviation

School s
8.4.2 SiteID
The SiteID corresponds to the ADEC ERP SiteID. The following naming convention rules apply
to the SiteID field in the naming convention.
 The SiteID will consist of three digits.

 If the ERP Site ID is less than three digits then leading zeros will be added to the ERP
SiteID to remain consistent with the three digit SiteID rule.
The table below depicts how the ERP SiteID will be encoded as a SiteID in the naming
convention.
Table 22 ERP SiteID Encoding
ERP SiteID SiteID

1 001
12 012
150 150
8.4.3 Distribution Frame Type

The DF Type field in the naming convention represents the type of Distribution Frame.
The DF type will be represented in the naming convention using a single character.
The table below depicts the different types of distribution frame and how they are encoded in the
naming convention.
Table 23 DF Abbreviations
Distribution Frame Type Abbreviation

Intermediate i
Main m
8.4.4 Distribution Frame Number

The DF number represents the number of the Distribution Frame in the school site.
The following naming convention rules apply to the DF No. field in the naming convention.
57 Version 1.6
 The DF No. will consist of two digits.

 If the actual DF No is less than two digits then a leading zero will be added to the DF No.
to remain consistent with the two digits DF No. rule.
The table below depicts how the actual Distribution Frame number will be encoded as a DF No.
in the naming convention.
Table 24 Distribution Frame Number Encoding
Distribution Frame Number DF No.

1 01
2 02
15 15
8.4.5 Device Role

The Device Role field in the naming convention will indicate upon the role of the device in the
overall architecture. The table below depicts the abbreviations for the components of the ADEC
network infrastructure.
Table 25 Device Role Abbreviation
Device Role Abbreviation

Core Switch csw
Access Switch asw
Wireless Lan Controller wlc
Wireless Access Point wap
All device abbreviations will be set to three letters.
8.4.6 Device Iteration

The following points further explain the iteration numbering:
 The iteration will consist of three digits.

 The first unique device in each Distribution Frame occupies the number 001.
 The first unique device in each Distribution Frame- extention, occupies the number 002.
58 Version 1.6
8.4.7 Naming Convention Examples

The table below depicts some examples of how the naming convention will be used.
Table 26 Naming Convention Examples
Example Site Type ERP DF Type DF No Device Iteration

SiteID Role
s001-m01-csw001 school 1 Main 1 Core 1
Switch
s999-i02-asw001 school 999 Intermediate 2 Access 1
Switch
s999-i02-asw002 school 999 Intermediate 2 Access 1
- Extention Switch –
Stack
Extention
s255-m01-wlc001 school 255 Main 1 Wireless 1
LAN
Controller
s255-i01-wap110 school 255 Intermediate 1 Wireless 110
Access
Point
59 Version 1.6
8.5 Labelling Convention

The labelling convention will follow the host naming convention, with the addition of the stack
member number for devices in a Stack. It is important to be able to refer to a switch in the stack
as an individual entity. Standalone switches will also follow this labelling convention for future
purposes. For example if another switch is stacked with it, then the first switch will not need to
be relabelled.
The switches in a stack will be labelled as follows:
Figure 5 Stack Switch Label Convention
<Switch-Hostname>-<Stack-Member-Number>
If a switch is standalone then it will be labelled with its hostname and stack member number 1.
An example of the above stack switch label convention can be found below.
Figure 6 Stack Switch Label Example
s999-i02-asw001-2
The above example depicts that this switch is switch 2 in the s999-i02-asw001 stack.
8.6 Interface Description

Configuring a description on an interface has operational benefits some of which are listed
below:
 Ease of troubleshooting
 Ease of provisioning
 Ease of changes
There are three types of interfaces which will contain an interface description. They are:
 Physical ports connecting to infrastructure equipment such as:

o Core Switch to Access switch
o Core Switch to WAN Router
o Core Switch to WLC
o Access Switch to Core Switch
o Access Switch to Access Switch – in the case of daisy chain setup.
o Access Switch to Access Point
 Switch Virtual Interfaces
 PortChannel Interfaces
60 Version 1.6
8.6.1 Physical Port Descriptions

All network infrastructure ports will be configured with a description. The description will
incorporate the name of the remote device which is connected to the other side of the Access Port.
The description will also incorporate the remote port of the connected device. The following
ports will be configured with a Port Description:
 Port connecting Core Switch to WLC

 Port connecting Core Switchto Access Switch
 Port connecting Core Switchto WAN Router
 Port connecting Access Switch to Core Switch
 Port connecting Access Switch/stack2 to Access switch/stack1
 Port connecting Access Switch to Access Point
Port Descriptions will be configured to provide operational benefits such as simplified

provisioning and troubleshooting.
8.6.2 Switch Virtual Interface (SVI) Descriptions

All Switch Virtual Interfaces will be configured with a description. The description will
incorporate the VLAN name.
Switch Virtual Interface Descriptions will be configured to provide operational benefits such as
simplified provisioning and troubleshooting.
8.6.3 PortChannel Interface Descriptions

All PortChannels will be configured with a description. The description will incorporate the
name of the remote device which is connected to the other side of the PortChannels.
PortChannel Interface Descriptions will be configured to provide operational benefits such as

simplified provisioning and troubleshooting.
8.7 Software Requirements

The software named in the table below will be used on the network devices within the ADEC
network.
This selected IOS software versions are the most stable respective releases which meet all of the
ADEC feature requirements.
Table 27 IOS Software Image Listing
Role Chassis Version File Comment

Core WS-C4507R- 12.2.53-SG8 cat4500e-ipbasek9-mz.122- IP BASE SSH
Switch E 53.SG8.bin
Access WS-C3850- 3.2.2SE cat3k_caa- IP BASE

Switch 48F-S universalk9.SPA.03.02.02.SE.150- IMAGE
1.EX2.bin
8.7.1 Software Justifications

8.7.1.1 Core switch
A new Cisco IOS Software package for Cisco Catalyst 4500 Series Switches was introduced in
Cisco IOS Software Release 12.2(25)SG. The new Cisco IOS Software release train is designated as
12.2SG.
61 Version 1.6
There are three types of images available for the 4507R-E.
 LAN Base
 IP Base
 Enterprise Services
The LAN base image is primarily focused on the Access Layer and Layer 2 requirements.
The IP Base Image contains all the features found in the LAN base image as well as basic Layer 3
features such as static routing.
The Enterprise Services image supports all Cisco Catalyst 4500 Series software features based on
Cisco IOS Software such as NSF/SSO, BGP, EIGRP, EIGRPv6, OSPF, OSPFv3, IS-IS, Internetwork
Packet Exchange (IPX), AppleTalk, VRF-lite, and Policy-Based Routing (PBR).
The IP Base image will be used in the ADEC environment as the 4507R-E will be used as a Core
Switch. The LAN Base image is not appropriate as the 4507R-E will not be used as an access
layer switch. The Enterprise Services image will not be used as it contains many additional
features which are not required within the ADEC network implemetation.
8.7.1.2 Access Switch

The Cisco Catalyst C3850-F-S Series with StackWise-480 support LAN BASE software feature.
The IP Base image contains all the features found in the LAN base image as well as basic Layer 3
features such as static routing.
The IP Base image contains all the features required by ADEC including SSH and will be used as
the IOS software for the Access Switches

Note The selection of the specific IOS XE version is based on Cisco deployment
recommendation, stability and field exposure.
62 Version 1.6
9. Logical Network Design
9.1 Network Design

Figure 7 Logical Network Design
The network connectivity in the ADEC school site Network Infrastructure design is as follows:
 1 x 1 Gbps connectivity between the Core Switch and the WAN Router
 4 x 1 Gbps connectivity between Core Switch and Wireless LAN Controller
 2 x 1 Gbps connectivity between the Access Switch (standalone or stack) and the Core
Switch
 2 x 1 Gbps connectivity between the Access Switch (stack extention) and the Access
Switch (stack origin).
 1 x 1 Gbps connectivity between each Access Point and an Access Switch
 All links between the Access Switch and Core Switch will be configured as trunks for the
following reasons:
63 Version 1.6
Logical Network Design
o Trunk links are required to carry multiple VLANs between the Access Switch
and the Core Switch
 All links between the Access Switch (stack extention) and the Access Switch (stack origin)
will be configured as trunks for the following reasons:
 Trunk links are required to carry multiple VLANs between the Access Switch (stack
extention) and Access Switch (stack origin)All links between the WLC and the Core
Switch will be configured as trunks for the following reasons:
o Trunk links are required to carry multiple VLANs between the Access Switch
and the Core Switch
 All trunks will be configured as Layer 2 trunks for the following reasons:
o Layer 2 trunks will extend the broadcast domain from the Access Switch to the
Core Switch
 All trunks will be configured as Etherchannels for the following reasons:
o Using Etherchannels between the Access Switch and Core Switch removes the
Layer 2 loop which would exist when using multiple trunks between the Access
Switch and Core Switch
o Using Etherchannels between the Access Switch (stack extention) and Access
Switch (stack origin) removes the Layer 2 loop which would exist when using
multiple trunks between the Access Switch (stack extention) and Access Switch
(stack origin)
 The link between the Core Switch and the WAN Router is a Layer 3 link for the following
reasons:
o There is no requirement for creating a layer 2 port facing the WAN Router
o The IP addressing for the link between the WAN Router and the Core Switch is a
/30 so there is no possibility of addressing another node other than the WAN
Router and the Core Switch.
It is important to note that all schools will follow the same Logical network design. However in
the large schools some of the C3850-F-S switches will be stacked, the number of switches in the
stack and the number of stacks in a school will depend on the specific port requirement in each
IDF.
Please refer to the network topology in Figure 7 for further details
9.2 VLAN
The table below shows the VLAN scheme provided by ADEC.
Table 28 VLAN Table
VLAN ID VLAN Name Patch Cord

Colour
100 Management VLAN Red
10-15 Servers – (VLAN 11 – 15 for Virtualization) Red
20 Admin Blue
21-25 Teachers Yellow
30-35 IT Labs Green
40 Security VLAN: CCTV, access control Orange
50 Voice IT Labs
51 Voice Admin
52 Voice Teachers
53 Voice Library
60 School name-Staff (wireless)
70 School name-Student (wireless)
64 Version 1.6
80 School name-Guest (wireless)

90 Library Green
110 Access Point Red
999 Native
All VLANs will be configured and named in the configuration. These VLANs will be created on
both the Core Switch as well as the relevant Access Switches.

Note The colour of the patch cord for the Voice VLANs will be determined by the user type i.e.
Admin, Teachers, and IT Labs.
9.3 Voice VLAN

The auxiliary VLAN (Voice VLAN) will be configured on each data port. The Voice VLAN will
be configured on Access Ports in the following VLANs:
 IT Labs
 Admin
 Teachers
 Library

Note The ADEC requirements of having multiple voice vlan will significantly increase
management and operation complexity especially on small sites without providing security
improvement.
Cisco does not recommend deploying Voice VLAN and IP telephony without a proper
Quality Of Service design.
9.4 IP Addressing
9.4.1 ADEC Address Allocation
The IP address space below will be implemented in the school sites.
Figure 8 ADEC IP Address Allocation
10.0.0.0/8
ADEC have the following IP Address allocation requirements:
 The IP address scheme will cover 1000 school sites

 Each school will be allocated a /18 address space
 Each school allocation will contain 64 x /24 address spaces
 Variable Length Subnet Masks (VLSM) will be used
The IP scheme for the allocation of /18 addresses to schools will be as follows:
65 Version 1.6
 The first eight most significant bits (first octet) in the IP scheme will always be 00001010
 The next ten bits are used for assigning /18 addresses to each school. With ten bits a
maximum of 1024 x /18 address spaces can be allocated to schools.
 The next six bits is used to allocate IP Addressing to each VLAN. With six bits a total of
64 x /24 address spaces can be allocated to VLANs within a school (see note regarding
WLAN subnet).
 The last 8 bits (last octet) in the scheme are reserved for host use.
The figure below depicts the binary breakdown of each octet.
Figure 9 ADEC School IP Address Allocation Scheme
<00001010>.<xxxxxxxx.xx><xxxxxx>.<xxxxxxxx>
<---8 bits--->.<----10 bits----><-6 bits->.<---8 bits--->
<----------------------------32 bits---------------------------->
9.4.2 IP Address Exclusions

The following IP addresses will be excluded.
 ADEC HQ address space 10.212.y.z

 ADEC HQ address space 10.251.y.z to 10.255.y.z
 Summary Addresses in which either the 2nd or 3rd octets is zero (e.g. 10.0.y.z or 10.y.0.z)

Note The above IP address exclusions will reduce the total number of /18 address spaces
available to schools from 1024 to 740
66 Version 1.6
9.4.3 IP Scheme
In every /24 the address will be allocated as follows:
Table 29 IP Scheme for all IP Subnets
IP Scheme
IP Address Description
.1 Reserved for SVI on Core Switch
SVI acts as the default gateway for the subnet
In addition to the above reservation, the VLANs in the table below have additional addresses
reserved as per the table.
Table 30 Additional IP Scheme for Specific VLANs
VLANs IP Scheme
IP Addresses Description
20, 21-25, 30-35, 60, 90 .2 - .20 Reserved for Network Peripherals
.21 - .250 Reserved for Hosts
In addition to the reservation in Table 29, the Management VLAN will have the following
reservations.
Table 31 Additional IP Scheme for Management VLAN
VLAN IP Scheme
100 .2 Wireless LAN Controller
.3 - .250 Reserved for Network Devices
A /30 address allocation will be reserved from each /18 address space. This /30 address will be
used for the link addressing between the Core Switch and the WAN Router. The /30 address
will be the last /30 address space available in the /18. The first available IP in the /30 will be
assigned to the WAN Router and the second available IP address will be allocated to the Core
Switch.
Table 32 IP Scheme for Core Switch toWAN Router Link
IP Allocation IP Scheme
10.x.x.252/30 .253 WAN Router LAN Interface
.254 Core Switch uplink Interface

Note ADEC requires a /22 subnet size to be allocated for the Wireless LAN ‘Student’ which
consumes 4 of the 64 VLANs available in the school site.
Having a large IP subnet could increase broadcast on this WLAN, it is not controlled by
Access Port Storm Control feature.
67 Version 1.6
9.5 Infrastructure Routing

Access Switches can be configured as either a Layer 3 Access or a Layer 2 Access. If a Layer 3
Access is deployed it adds more complexity due to the use of an IGP and additional IP address
allocation for the links between the Access Switch and the Core Switch. If Layer 3 Access is
configured, clients have visibility of the Access Switch and it is therefore more vulnerable to
attacks from malicious users. Therefore, to reduce the complexity and increase the security of the
Access Switch, all Access Switches will be configured as Layer 2 only. The Core Switch will act as
a default gateway for each VLAN, as well as provide and control routing between VLANs, and
routing to the Data Centre.
Each VLAN will have a Layer 3 VLAN interface configured on the Core Switch. The Layer 3
VLAN will act as the default gateway for all clients within the VLAN.
The Core Switch and Access Switch will both use a static default route for routing traffic. An IGP
could have been used but it would increase the complexity of the network design. The default
route on the Core Switch will point towards the WAN Router. The default route on the Access
Switches will point to the management SVI IP address configured on the Core Switch.
IP routing will be enabled on both the Core Switch and the Access Switch.
9.6 Infrastructure Security

Access Control Lists (ACLs) will be deployed to control access to some specific VLANs and
network infrastructure services (SSH, SNMP, NTP).
Access Ports will be protected by Port Security, ARP inspection, Storm Control and DHCP
Snooping. The following section describes the infrastructure security features that will be
implemented in the ADEC school site network infrastructure.
9.6.1 Control Plane Policing

One important step in securing a network is to limit the ability for non authorized sources to
send traffic towards the router itself, since traffic to the router normally will be sent to the CPU.
This can result in the services being affected on the router if there is a shared control-plane to the
data-plane. The Cisco Catalyst 4507R-E architecture includes complete separation between
control plane and data plane. This separation has been used in a feature called CoPP (Control
Plane Policing). This feature gives the ability to apply a policy-map on the control plane. This
policy-map looks like a normal QoS policy. When a policy-map is applied to the control-plane, it
will be applied to all traffic that is destined to any of the IP addresses of the router.
9.6.1.1 CoPP Configuration Strategies

Useful traffic will be policed with limits which will permit the functioning of that feature. Any
traffic not deemed to be useful will be captured by the class-default and will be subject to harsh
policing.
9.6.1.2 Identifying Undesirable Traffic

If BAD traffic cannot be identified initially the Match-all class at the end of the policy-map will
catch all non-explicitly identified traffic and apply the policy that will allow a small rate of traffic.
68 Version 1.6
As soon as BAD traffic is identified, it should be added to the “BAD TRAFFIC ACL” so the BAD
policy of “drop everything” can be applied.
9.6.1.3 Rate
All punted traffic will be rate limited to protect against any Denial Of Service (DOS) attacks. The
features in use in the ADEC network use hardware based forwarding. If any transit traffic is
punted to the CPU for processing this will be rate limited. Transit traffic is only punted to the
CPU when the features are not supported in hardware. The CoPP rate for punted traffic has been
set with the premise that very little transit traffic, if any, will be punted to the CPU for
forwarding or processing.
9.6.1.4 Catalyst 4507R-E Control Plane Policing
Control plane policing will be used in the Core Switch.
Figure 10 Catalyst 4507R-E CoPP Mode
CoPP on the Core Switch will be enabled using the global macro function (called system-cpp).
The system-cpp macro automatically generates and applies CoPP policies to the control-plane.
The resulting configuration uses a collection of system defined class-maps for common Layer 3
and Layer 2 control-plane traffic. The names of all system defined CoPP class maps and their
matching ACLs contain the prefix "system-cpp-". By default, no action is specified on any of the
system predefined traffic classes.
A policing action will be used in the system predefined and user defined traffic classes to protect
the CPU from being overloaded.
69 Version 1.6
Additional class maps will be configured which are specific to the ADEC network to protect
against any malicious users attempting to overload the CPU.
The additional Class Maps will classify and police the following traffic. SSH, SNMP, ICMP, IP
and Fragments.
In order to take effect, these user-defined class maps need to be added to the system-cpp-policy
policy-map.
The system predefined ACLs are shown in table below.
Pre-defined Named ACL Description

system-cpp-dot1x MacDA = 0180.C200.0003
system-cpp-bpdu-range MacDA = 0180.C200.0000 -
0180.C200.000F
system-cpp-cdp MacDA = 0100.0CCC.CCCC
(UDLD/DTP/VTP/Pagp)
system-cpp-garp-range MacDA = 0180.C200.0020 -
0180.C200.002F
system-cpp-sstp MacDA = 0100.0CCC.CCCD
system-cpp-cgmp Mac DA = 01-00-0C-DD-DD-DD
system-cpp-ospf IP Protocol = OSPF, IPDA matches
224.0.0.0/24
system-cpp-igmp IP Protocol = IGMP, IPDA matches
224.0.0.0/3
system-cpp-pim IP Protocol = PIM, IPDA matches
224.0.0.0/24
system-cpp-all-systems-on-subnet IPDA = 224.0.0.1
system-cpp-all-routers-on-subnet IPDA = 224.0.0.2
system-cpp-ripv2 IPDA = 224.0.0.9
system-cpp-ip-multicast-linklocal IP DA = 224.0.0.0/24
system-cpp-dhcp-cs IP Protocol = UDP, L4SrcPort = 68,
L4DstPort = 67
system-cpp-dhcp-sc IP Protocol = UDP, L4SrcPort = 67,
L4DstPort = 68
system-cpp-dhcp-ss IP Protocol = UDP, L4SrcPort = 67,
L4DstPort = 67

Note The class class-default is special in Modular QoS CLI (MQC) because it is always
automatically placed at the end of every policy map. Match criteria cannot be configured
for class-default because it automatically includes an implied match for all packets.
The nature of CoPP matching mechanisms, certain traffic types will always end up falling
into the default class. This includes traffic such as Layer 2 keepalives and some non-IP
traffic Because these traffic types are required to maintain the network control plane, class-
default must never be policed with both conform and exceed being set with an action of
“drop”. It is generally considered best practice never to rate-limit the class class-default.
9.6.2 Storm Control

Storm Control will be configured on the Access Switches only as this is the location where hosts
can potentially send broadcast storms and saturate the uplinks.
70 Version 1.6
It is important to note that Storm Control configuration will be used only on the Access Ports of
the Access Switches which connect to the physical ports assigned to data VLANs.
Storm Control will be enabled to protect against broadcast or multicast storms.
9.6.3 DHCP Snooping

The main attacks against DHCP are:
 DHCP scope exhaustion (client spoofs other clients)

 Installation of a rogue DHCP server
9.6.3.1 DHCP Scope Exhaustion
A malicious client may attempt to seize the entire range of available IP addresses.
DHCP the protocol itself does not contain any mechanism to prevent this from happening.
The malicious client simply needs to generate uniquely identifiable packets whch can be achieved
by using random source MAC addresses and then sending a DHCPDISCOVER per forged MAC
address.
When the DHCP server receives the DHCPDISCOVER messages it allocates an IP per message.
If enough DHCPDISCOVER messages are generated the DHCP IP address pool may be
exhausted.
Once the address pool has been exhausted, any incoming DHCPDISCOVER messages from
legitimate clients it will not be serviced.
DHCP Scope Exhaustion can be prevented through the use of the Port Security feature. With the
port security feature it is possible to limit the number of MAC addresses sourced from a
particular port. If there are any additional MAC addresses learnt on that port the port is shut
down and the attack is prevented.
However, there are tools readily available which can send multiple DHCPDISCOVER messages
using a single source MAC and thus avoiding the Port Security protection mechanism.
This is done by randomizing a field in the DHCP packet called the Client Hardware Address
field and at the same time, use a single unique Ethernet source MAC address.
From the DHCP perspective each DHCPDISCOVER message which contains a unique MAC
address constitutes a single valid request.
From the switch perspective a single MAC address is learned on the user’s port.
To thwart this type of attack Cisco has developed a mechanism called DHCP Snooping. With
DHCP Snooping the switch can inspect the contents of the DHCP packet and identify normal
behaviour.
DHCP Snooping will drop any packets where the packet is received on an untrusted interface,
and the source MAC address and the DHCP client hardware address do not match.
9.6.3.2 Rogue DHCP Server

A Malicious DHCP user may try to exploit the DHCP mechanism by installing a rogue DHCP
server on a LAN segment.
71 Version 1.6
Once the rogue DHCP server is on the LAN segment by default, it receives all the
DHCPDISCOVER messages from clients seeking to acquire an IP address.
Both the legitimate and rogue servers will receive the DHCPDISCOVER message. At this point
we have what is known as a race condition between the rogue DHCP server and the legitimate
server.
As the rouge server is usually closer in proximity to the clients it will be the one which assigns
the IP address to the client.
When a client receives multiple DHCPOFFERs messages it will use the first one it receives.
DHCP Snooping will be used to prevent these types of attacks. When DHCP is configured, hosts
are configured as untrusted. From the DHCP perspective hosts have no reason to generate
DHCPOFFER or DHCPACK messages; they are only supposed to issue DHCPDISCOVER and
DHCPREQUEST messages.
If a rogue DHCP host does generate a DHCPOFFER and DHCPACK message, the Access Switch
blocks the DHCPOFFER (and DHCPACK and DHCPNAK) messages from the attacker’s port
because the DHCPOFFER originates from an untrusted port on the Access Switch.
To protect from Wireless Rogue DHCP attacks, the WLC manages all DHCP requests from clients
and acts as a DHCP relay agent. DHCP requests from WLAN clients are not broadcasted back
out to the WLAN, and they are unicasted from the WLC to a configured DHCP server. This
protects other WLAN clients connected to the WLC from rogue DHCP server attacks.
9.6.3.3 DHCP Snooping Configuration guidelines
The following are the configuration guidelines for DHCP snooping.
 DHCP Snooping will be configured on the Access Switch alone

o DHCP Snooping will not be enabled on the Core Switch as Rogue Servers
will not receive DHCP requests from other clients. The Wireless LAN
Controller internal mechanism does not permit broadcasts from one
wireless user to reach another
 DHCP Snooping will be enabled globally on the Access Switch
o Enabling DHCP globally is part of the configuration procedure.
 DHCP Snooping will be configured on all data VLANs
o Any DHCP attacks will originate from the data VLANs as this is where the
users are connected
 DHCP Snooping will not be configured on the Access Point VLAN
o If a wireless user was to attempt a DHCP attack it would not be prevented if
DHCP Snooping was configured on the Access Point VLAN. The Access
Point encapsulates all data from the Access Point into a CAPWAP tunnel
and forwards as a Layer 2 Ethernet frame to the WLC. DHCP Snooping
does not have the ability to look inside the CAPWAP frame and identify the
attack.
 The Access Switch uplinks to the Core Switch will be configured as Trusted
Interfaces
o Trusted Interfaces are the only interfaces from which DHCP server
messages are permitted. As the Core Switch will be acting as the DHCP
72 Version 1.6
server the Access Switch uplink ports will be configured to trust incoming
DHCP server messages from the Core Switch.
 All Access Switch Access Ports connecting to clients will be untrusted ports.
o Untrusted ports are not permitted to send DHCP server messages and as
such this will protect the network from rogue DHCP servers.
DHCP Snooping will be configured only on the Access Layer as this is where all wired users will
connect.
9.6.4 IP Source Guard

IP Source Guard is a security feature that restricts IP traffic on non-routed, Layer 2 interfaces by
filtering traffic based on the DHCP Snooping binding database and on manually configured IP
source bindings. IP Source Guard will prevent traffic attacks caused when a host tries to use the
IP address of its neighbour.
IP Source Guard is enabled when DHCP Snooping is enabled on an untrusted interface. After IP
Source Guard is enabled on an interface, the switch blocks all IP traffic received on the interface,
except for DHCP packets allowed by DHCP Snooping. A port Access Control List (ACL) is
applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP
source binding table and denies all other traffic.
The IP source binding table has bindings that are learned by DHCP Snooping or are manually
configured (static IP source bindings). An entry in this table has an IP address, its associated
MAC address, and it’s associated VLAN number. The switch uses the IP source binding table
only when IP Source Guard is enabled.
IP Source Guard is supported only on Layer 2 ports, including Access and Trunk ports. IP Source
Guard is configured with either source IP address filtering or with source IP and MAC address
filtering.
When IP Source Guard is configured to look at both the source MAC and IP address, IP traffic is
filtered based on the source IP and MAC addresses. The switch only forwards traffic when the
source IP and MAC addresses match an entry in the IP source binding table.
When IP Source Guard with source IP and MAC address filtering are enabled, the switch filters
IP and non-IP traffic. If the source MAC address of an IP or non-IP packet matches a valid IP
source binding, the switch forwards the packet. The switch drops all other types of packets
except DHCP packets.
The switch uses Port Security to filter source MAC addresses. The interface can shut down when
a Port Security violation occurs.
 When IP Source Guard with source IP and MAC address filtering is required, DHCP
Snooping and Port Security must be enabled on the interface.

Note When IP source guard is enabled in IP and MAC filtering mode (port security option
displayed above), the DHCP Snooping option 82 must be enabled on access and supported
by the DHCP server to ensure that the DHCP protocol works properly. Without option 82
data, the switch cannot locate the client host port to forward the DHCP server reply.
Instead, the DHCP server reply is dropped and the client cannot obtain an IP address
73 Version 1.6
IP Source Guard will be configured on the Access Switches with source IP filtering. Filtering
using MAC address is not being used as the Port Security feature which is also being used on the
Access Ports will protect against any MAC spoofing attacks.
9.6.5 Dynamic ARP inspection

Dynamic ARP inspection will be deployed in the Access Layer only. The Access Layer is where
all the wired users will connect. This will prevent wired users from poisoning other users ARP
caches.
The Wireless LAN Controller prevents users from broadcasting gratuitous ARP messages to each
other and therefore users cannot poison each other’s ARP caches.
9.6.6 Port security

Port security will be deployed on Access Ports as well as ports with an auxiliary (Voice) VLAN.
This will limit the number of MAC addresses which can be used on an Access Port.

Note Three MAC addresses should be allowed when an IP phone is connected to the secure port.
The IP phone contains a processor connected to an internal switch. That processor uses a
MAC address when it sends traffic. When the phone boots, the IP phone attempts to
discover (using CDP) the voice and data VLAN mappings. To do so, the phone generates
frames by using its MAC in the data VLAN, which is, at this point, the only VLAN of
which the phone is aware. Therefore, the switch temporarily sees three MAC addresses on
the port.
Automatic error disable recovery mechanisms will not be enabled. Therefore if the port goes to
shutdown/err disable mode due to a violation it has to be re-enabled manually after correcting
the cause of the violation.
This will bring the violation to the attention of the network administrator.
9.6.7 Additional Security Features

The following sections will provide further details and solutions regarding the attacks mentioned
below:
 802.1Q and ISL Tagging attack

 Double Encapsulated 802.1Q Nested Attack
 ARP Attack
9.6.7.1 MAC Flooding Attacks

MAC flooding will be prevented using the port security feature. Port security limits the number
of MAC addresses that can be used by a single port. Therefore no user can send a MAC flooding
attack into the network to consume the hardware resources.
9.6.7.2 802.1Q and ISL Tagging attack

The behaviour of DTP can be exploited by a malicious user to create a trunk port and thus gain
access to other VLANs.
74 Version 1.6
All user-facing ports will be hard-coded as Access Ports and placed in a static VLAN. This
silently drops DTP frames at the port level with no performance impact. With DTP frames
dropped, attempts to force the port into becoming a trunk fail.
9.6.7.3 Double Encapsulated 802.1Q Nested Attack

802.1Q trunk ports carry both tagged and untagged frames. Frames transmitted on the trunk
without any 802.1Q tags are sent via the native VLAN. A protocol that uses the native VLAN is
802.1D. This ensures compatibility with switches that do not run a per-VLAN spanning tree
(PVST). Bridge Protocol Data Units (BPDU) exchanged over the native VLAN serve as the basis
for a lowest common denominator loop-free topology. Another typical application includes Cisco
IP phones where the data originating from a device attached to the phone is untagged in a given
data VLAN while voice traffic arrives tagged on the switch port.
Malicious users may attempt to move from one VLAN to another (VLAN hopping) using the
concept behind the native VLAN.
The following protection mechanism will be enabled in the ADEC network to protect against
double encapsulated 802.1Q nested attacks.
 The native VLAN will not be cleared from the list of VLANs allowed across the trunk.
 There are several “system” protocols (CDP, STP etc) which rely on the presence of the
native VLAN to function properly, and protocol-level compatibility between switches
might no longer be guaranteed without the native VLAN
 The native VLAN will not be used on Access Ports
 The native VLAN traffic will be tagged as it crosses the trunks between the switches.
 VLAN tagging will be configured on the Core Switch and Access Switches globally
 Native VLAN tagging on the trunk port between the Core Switch and the WLC will be
disabled, as the WLC does not support native VLAN tagging. If Native VLAN tagging
were to be configured on the Core Switch and not on the WLC, native VLAN mismatches
would be detected on the Core Switch. The native VLAN tagging will be disabled on the
port-channel and the configuration will be replicated to the member ports.
Additional information regarding tagging the native VLAN can be found in the section
“Enhanced VLAN Security”
9.6.7.4 ARP Attack

ARP attacks known as ARP poisoning and ARP spoofing, exploit the fact that there are no
authentication processes in ARP messages. The aim of these types of attacks is to sniff packets
sent to a particular host.
ARP attacks will be mitigated using Dynamic ARP Inspection which makes use of the DHCP
Snooping binding database. Please see the Dynamic ARP inspection and DHCP snooping
sections for further information.
9.7 Network Services

The Network Services in the ADEC school site network infrastructure includes DHCP, DNS and NTP.
75 Version 1.6
DHCP services will be provided by a local “server”. The local “server” will be the local Core
Switch which will be used to provide IP addresses to WLAN Access Points as well as wired and
wireless clients.
9.7.1 DHCP
End user devices such as, the PCs in the IT Lab and staff Laptops will receive IP addresses from
the DHCP service running on the Core Switch.
The school site Core Switch DHCP solution will provide client devices with the IP address of the
existing DNS servers hosted in the ADEC HQ Data Centre.
The following rules will be followed in allocating DNS server addresses to clients via DHCP:
 Clients on a subnet which is an even number (e.g. 10.1.128.x) will be configured with
Primary DNS 10.254.100.22, Secondary 10.212.100.22
 Clients on a subnet which is an odd number (e.g. 10.1.129.x) will be configured with
 Clients on a WLAN subnet which is an even number (e.g. 10.2.192.x) will be configured
with Primary DNS 10.254.100.22, Secondary 10.212.100.22
 Clients on a WLAN subnet is an odd number (e.g. 10.2.193.x) will be configured with

Note Cisco recommends using a centralized DHCP server. As ADEC currently do not have a
centralized DHCP server, the Core Switch will function as the DHCP Server as an interim
solution.
9.7.2 DHCP Relay

As the Core Switch is providing the DHCP service, a DHCP relay agent is not required.
The DHCP relay agent will be configured on the Core Switch when a centralized DHCP server is
procured. The DHCP relay agent will be enabled on the Core switch, Switch Virtual Interfaces.
The Switch Virtual Interface is the first Layer 3 hop and its role is to take the broadcast DHCP
request and forward it as a unicast IP packet to the DHCP server.
9.7.3 DHCP for the APs

The Core Switch will provide DHCP services for the Wireless Access Points in the ADEC school
sites.
Therefore, the school site Core Switch will be used to provide IP addresses to WLAN Access
Points
Cisco Aironet Access Points use the Type-Length-Value (TLV) format for DHCP option 43.
DHCP servers must be programmed to return the option based on the access point’s DHCP
Vendor Class Identifier (VCI) string (DHCP Option 60).
The HEX string provides the WLC IP address to the AP in HEX format. As this is different in
each school the HEX string must be tuned per school.
The calculation for defining the Hex string values is detailed below:
Figure 11 Option 43 Hex String
76 Version 1.6
option 43 hex <hex string>
The hex string is assembled by concatenating the TLV values shown below:
Figure 12 Hex String Components
Type + Length + Value
The table below provides further information regarding each of the Hex string components.
Table 33 Hex String Components
Hex String Component Description

Type Always f1 (Hex)
Length The number of controller management IP
addresses times 4 in hex
Field the IP address of the controller listed(Hex)
For example, suppose that there are two controllers with the management interface IP addresses
listed below.
 10.126.126.2
 10.127.127.2.
The table below depicts the component values for the above IP addresses.
Table 34 Hex String Example
Hex String Component Value (Hex)

Type f1
Length 08
Field 0a7e7e02
0a7f7f02
Hex String f1080a7e7e020a7f7f02
9.7.4 DNS
The domain name lookup feature available in Cisco IOS will not be enabled.
By default ‘ip domain lookup’ is enabled by default in Cisco IOS devices. The domain lookup
feature in every IOS device will be disabled.
The ‘ip domain lookup’ feature will attempt to execute a domain lookup for CLI commands
which are not Cisco IOS commands. Entering non IOS commands into the CLI can happen in
two cases.
1. User is attempting a genuine DNS lookup

2. User has mistyped a Cisco IOS command
ADEC will not use the IOS devices to perform DNS resolution and as such the ‘ip domain
lookup’ feature will be disabled.
77 Version 1.6
The Infrastructure devices will be configured with the ADEC internal network domain name.
The ADEC domain name is:
Figure 13 ADEC Domain name
adec.ae
9.7.5 NTP
Network Time Protocol (NTP) is used to synchronize the clocks of all network infrastructure and
wireless infrastructure devices across a network. The local NTP client, which runs on the device,
accepts time information from other remote time servers and adjusts its clock accordingly.
Synchronization of the clocks within a network is critical for the correct interpretation of events.
The following considerations have been made for the deployment of NTP in ADEC school sites:
 Define a trusted time source and configure all devices as part of an NTP hierarchy.
 ACLs will be used on the Core Switch to specify which network devices are allowed to
synchronize with which other network devices.

Note NTP server in Core and Access switches should be used for network infrastructure
componenets only. It is not recommended for stability reason to use core switch as NTP
server for all user clients (NTP polling requires CPU cycles)
9.7.5.1 NTP Hierarchy

The Data Centre will synchronize itself with an NTP source in the internet.
The Data Centre will have a stratum level of 3.
The Core Switches in the school sites will peer with Data Centre NTP server. The Core Switch
will have a stratum level of 4.
The Access Switches will peer with the school site Core Switch and will have a stratum level of 5.
Table 35 NTP Table with NTP Source and Stratum Levels.
Node Stratum Level NTP Source

Data Centre 3 ADNET
school site Core Switch 4 Data Centre
school site Access Switch 5 Core-Distribution
Switch
9.8 Access Network Design

The Access Network Design of ADEC consists of Layer 2 Trunking, Etherchannel, VTP and STP
configurations.
9.8.1 Trunking
In the ADEC network trunk configuration exists between:
 Catalyst 4507R-E Core Switch and the Catalyst C3850-F-S Access Switches.
 Catalyst C3850-F-S Access Switch (Stack Origin) and C3850-F-S Access Switch (Stack
Extention).
78 Version 1.6
 Catalyst 4507R-E Core Switch and the Wireless LAN controller.
All trunks will be configured as 802.1Q trunks.
9.8.1.1 802.1Q Trunk Configuration

802.1Q has been selected for trunks in the ADEC network based upon the following rationales:
 Standard based
 Less overhead
The Core Switch with the SUP6L-E supervisor does not support ISL trunking and hence it is not
required to specify dot1q trunking. This is different to the Access Switch where dot1q must be
specified.
9.8.1.2 Allowed VLANs on a trunk

When configuring a switch port as an 802.1Q trunk, by default all VLANS will be allowed. Both
from a security as well as from a scalability point of view it is very important to clear out VLANs
that are not needed on a specific interface.
Only required VLANs will be allowed onto the trunks. All other VLANs will be removed.
The allowed VLAN list will be enabled directly on the Etherchannel. This will ensure consistency
of VLANs allowed across the Etherchannel links.

Note The native VLAN will be allowed over the trunk. In the ADEC network VLAN 999 will be
the native VLAN.
9.8.1.3 Enhance VLAN Security

The native VLAN will be changed to an unused VLAN to enhance VLAN security.
By enabling Native VLAN tagging on the switch, egress Native VLAN traffic will be tagged and
the switch will drop untagged Native VLAN traffic on ingress.
If this option is enabled on one switch and disabled on another switch, all traffic is dropped; all
Switches must have this option configured the same on each switch.
9.8.2 Etherchannel
Etherchannels will be configured between the following devices:
 Core Switch and WLC

 Core Switch and Access Switch
Bundling the physical links into a single Etherchannel maximises the bandwidth available in the
network.
9.8.2.1 Etherchannel Numbering

The following numbers will be reserved for use by Etherchannels.
 10 for the Etherchannel between the Core Switch and WLC

 10 for the Etherchannel between the Access Switch (Stack Origin) and Access Swich
(Stack Extention).
79 Version 1.6
 11-20 reserved for the Etherchannel between the Core Switch and Access Switch
9.8.2.2 Etherchannel between Core Switch and Access Switch

An Etherchannel will be provisioned between the Core Switch and every Access Switch or switch
stack.
LACP will be used in the Etherchannels as PAgP does not support cross-stack EtherChannels..
This is a limitation with the PAgP implementation in IOS.

Note Cisco IOS software creates port-channel interfaces for Layer 2 Etherchannels when you
configure Layer 2 Ethernet interfaces with the channel-group command.
9.8.2.3 Etherchannel between Access Switch (stack origin) and Access Switch
(Stack Extention)
An Etherchannel will be provisioned between the Access Switch (Stack Origin) and Access
Switch (Stack Extention).
LACP will be used in the Etherchannels as PAgP does not support cross-stack EtherChannels..
This is a limitation with the PAgP implementation in IOS.

Note Cisco IOS software creates port-channel interfaces for Layer 2 Etherchannels when you
configure Layer 2 Ethernet interfaces with the channel-group command.
9.8.2.4 Etherchannel between Core Switch and WLC

The Wireless LAN Controller will be located at the Distribution Layer and connected to the Core
Switch. In the ADEC school site implementation, the 4 x 1 Gbps connections from the Wireless
LAN Controller will be connected to the SFP line cards on the Core Switch using the GLC-T (RJ-
45) connectors.
This Etherchannel will be configured in the “on” mode as PAgP or LACP is not supported on the
Wireless LAN Controller.
The Etherchannel member ports will be spread over two line cards for redundancy purposes.
The Core Switch ports will be configured as 802.1Q trunk ports. When configuring trunking on
the Core Switch, only the required VLANs will be allowed on the trunk. The required VLANs
will consist of those supporting the Wireless LAN Controllers’ AP-Manager interface,
Management interface, Native VLAN and all client Wireless LANs (WLANs).
All unneeded VLANs will be pruned from the trunks. Pruning unneeded VLANs allows the
WLC to process only relevant frames, resulting in improved performance.
80 Version 1.6
9.8.2.5 Etherchannel Guard

Mis-configuration of an Etherchannel may create a spanning-tree loop. This mis-configuration
can overwhelm the switch processor. Cisco IOS system software includes the spanning-tree
etherchannel guard misconfig feature in order to prevent this issue.
The etherchannel guard misconfig feature will be enabled in order to detect any mis-
configurations.
9.8.3 Access Port

There are three types of Access Ports.
 Data/Voice Port
 CCTV Port
 Access Point Port
All Access Ports will be configured with static mode access as well as being configured with
spanning tree portfast. If ports are not configured as static mode access and were left to negotiate
their mode, it will be possible for a user to connect to a port and negotiate a trunk mode with the
switch. This user would then have full access to the VLANs configured on that switch.
The list below provides further detail for each type of port.
 The Data/Voice ports will be configured with a data VLAN and Voice VLAN.
 The CCTV Access ports will be configured with a single VLAN
 The Access Point ports will be configured with a single VLAN.
9.8.4 VTP
The network devices will be configured with VTP mode transparent for definitive configuration.
Configuring VTP mode as transparent will remove the possibility of a user accidentally deleting
VLANs via a miss-configuration or when provisioning new switches.
9.8.5 Spanning Tree Protocol (STP)

Rapid Per-VLAN Spanning Tree (PVST+) will be used in the ADEC environment. This will be
implemented to provide faster convergence.
ADEC has a loop free topology, however to protect against accidental loops being created, for
instance if a loop is created at the port, STP will be configured.
9.8.5.1 VLAN Stability

The Core Switch will act as the root for all the VLANs for a school. In the current network
architecture this does not provide significant benefits as the network topology is loop free.
However if, in the future, additional switches are added and the topology moves to a loop
design, then having the root for all VLANs on the Core Switch will ensure optimal traffic flow.
9.8.5.2 PortFast
All Access Ports will be configured with STP PortFast. This will allow the end devices to
immediately connect to the network, rather than waiting for spanning tree to converge
9.8.5.3 Bridge Protocol Data Unit (BPDU) Guard

BPDU guard will be used only on Access Switches and never on Core Switches. BPDU guard
will be configured globally and will only be effective on ports in the operational PortFast state.
81 Version 1.6
In a valid configuration, PortFast Layer 2 LAN interfaces do not receive BPDUs. Reception of a
BPDU by a PortFast Layer 2 LAN interface signals an invalid configuration, such as connection of
an unauthorized device.
BPDU Guard provides a secure response to invalid configurations because the administrator
must manually put the Layer 2 LAN interface back in service.
9.8.5.4 LoopGuard
The LoopGuard feature provides additional protection against Layer 2 forwarding loops (STP
loops). An STP loop is created when an STP blocking port in a redundant topology erroneously
transitions to forwarding state. This usually happens because one of the ports of a physically
redundant topology (not necessarily the STP blocking port) stopped receiving STP BPDUs. In its
operation, STP relies on continuous reception or transmission of BPDUs, depending on the port
role (designated port transmits, root port receives BPDUs).
When one of the root ports in a physically redundant topology stops receiving BPDUs, the STP
conceives the topology as loop free. Eventually, the blocking port from the alternate or backup
port becomes designated, and moves to forwarding state, thus creating a loop.
With LoopGuard enabled, an additional check is made. If BPDUs are no longer received on a root
port and LoopGuard is enabled, that port will be moved into the STP loop-inconsistent blocking
state instead of moving to the listening / learning / forwarding state. Without LoopGuard, the
port would assume the designated port role. The port would move to STP forwarding state, and
thus create a loop.
The LoopGuard feature will be enabled on root and alternate ports for all possible combinations
of active topologies. Activating LoopGuard on root and alternate ports will be “automated” by
configuring the feature globally in which case we apply it automatically to all VLANs and all
non-designated ports.
9.8.5.5 UniDirectional Link Detection (UDLD)

By default UDLD is disabled on both the Cisco Catalyst C3850-F-S and the Cisco Catalyst 4507R-
E. UDLD will be enabled globally on both the Access Switches and the Core Switch. When
UDLD is enabled globally on the Core Switch, by default it is enabled on all fiber ports. However
when UDLD is enabled globally on the Access Switch it is not by default enabled on fiber ports
and will hence have to be enabled manually.
UDLD will be enabled in Aggressive mode. Aggressive mode UDLD detects additional types of
unidirectional failures than Normal mode UDLD.

Note UDLD needs to be enabled on both Core and Access switches.
If UDLD detects an inconsistency, the port is transitioned to ‘err-disable’ state, and manual
action is needed to re-activate the port.
9.8.5.6 Extended System-id

For switches configured with extended system-id running Rapid PVST+ the VLAN IDs are
carried inside the BPDU and for that to be supported, the amount of bits (16) providing the
bridge priority value is decreased to 4 and 12, additional bits are then released to determine the
VLAN ID.

Note It must be noted that extended system-id is enabled by default on Catalyst C3850-F-S
switches. As the extended system-id is enabled by default, no further action is required.
82 Version 1.6
9.8.6 Speed and Duplex Setting

The Core Switch and Access Switch port speed and duplex settings will be left to the default
values of auto negotiate. This will prevent any duplex mismatches occurring. The port speed
and duplex are configured at the interface level.
9.9 Infrastructure Management

The Schools network infrastructure will be managed via the Management VLAN by a remote
Network Management System (NMS) located in the Data Centre.
SNMPv3 and SSH will be used to manage the devices, access to the management VLAN will be
protected by an ACL.
9.9.1 MGMT VLAN

All infrastructure devices i.e. Access Switches and the Core Switch will be managed via a
Managemt VLAN. VLAN 100 has been designated as the Management VLAN. Having a single
VLAN for management simplifies the security configuration of the infrastructure devices. A
single ACL will be used to secure the network infrastructure devices from being accessed from
anywhere other than the network administrators LAN.
A management Switch Virtual Interface (SVI) will be configured on each Access Switch.
The WLC and the Access Switches will contain a default gateway which will point towards the IP
address configured on the Core Switch management SVI.
9.9.2 Simple Network Management Protocol

SNMPv3 will be configured in the ADEC network. The network devices will not be configured
to send SNMP traps as per the ADEC requirement.
9.9.3 Logging
Log Severity Levels - When logging, it is important to capture the necessary amount of
information. The granularity of detail in logging information can also be configured to one of
eight levels, as shown below:
Table 36 Logging Levels
Level Name Description

0 Emergencies Router unusable
1 Alerts Immediate action
required
2 Critical Condition is critical
3 Errors Error condition
4 Warnings Warning condition
5 Notifications Normal, but
important event
6 Informational Informational
message
7 Debugging Debug message
The lower the level number, the higher the severity level. A good level of general logging for
everyday information capture is “informational”. Additional detail can be captured with the
83 Version 1.6
“debug” level, but should only be used temporarily for specific situations. Debug logging levels
can become extremely processor intensive thereby impacting system performance.
The logging level will be set to capture warning and critical events. These events can be captured
by using IOS logging level 4.
9.9.3.1 Timestamp Service

Timestamps will be enabled for log messages, which will facilitate interpretation of the messages
for troubleshooting and investigating network attacks.
With the date/time correctly set on the router, the timestamps provide the proper day/time of
the log messages. The date and time will be synchronised from the NTP server.
Sequence numbers will be enabled which indicate the sequence in which messages that have
identical time stamps were generated. Knowing the timing and sequence that messages are
generated is an important tool in diagnosing potential attacks.
9.9.3.2 Buffered Logging

Cisco devices can store log messages in memory. The buffered data is available only from an
exec or enabled exec session, and it is cleared when the device reboots. This form of logging is
useful, even though it does not offer enough long-term protection for the logs.
A buffered value of 65536 will be used. It is possible to use a larger buffer size, however it is not
recommended as the buffer allocation comes from the system DRAM which is required for other
important functions.
9.9.3.3 Console Logging

This form of logging is not persistent; the device does not store messages printed to the console.
Although useful for troubleshooting from the console port, it is possible that excessive log
messages on the console could make it impossible to manage the device, even from the console.
Console logging will be disabled.
Console logging may later be enabled when required, such as during a debugging or trouble-
shooting session.
9.9.3.4 Logging Login Success and Failure Attempts

All successful or failed login attempts will be logged locally on the device itself. Failed login
attempts to the Access Switch will be logged in the Access Switch buffer log. Failed login
attempts to the Core Switch will be logged in the Core Switch buffer log
9.9.3.5 Logging Source
The Management VLAN IP address will be configured as the source of logging messages. This
will ensure that all logs are sourced from an IP in the same VLAN. In the future, if ADEC were
to procure a centralised Syslog. Security policies could be applied to traffic based upon the
source VLAN.
9.9.4 Cisco Discovery Protocol (CDP)

CDP will be disabled on an interface bases for the following ports. This will prevent devices not
managed by ADEC from gleaning information about the network via CDP.
 Ports facing the service provider WAN Router.
84 Version 1.6
CDP will be configured between devices which are managed by ADEC. CDP can simplify the
troubleshooting process and can also be used by NMS devices when discovering the network.
CDP will be permitted between the following devices only:
 Core Switch and Wireless LAN Controller

 Core Switch and Access Switch
 Access Switch and Wireless Access Point
 Access Switch and the Data/Voice ports
9.9.5 Disable Unneeded Services

The network devices will be configured to provide only those services that the network requires
and no more. Leaving unused network services enabled increases the possibility of those services
being used maliciously.
By default, Cisco routers support multiple TCP and UDP services to facilitate management and
integration into existing environments. For the ADEC school site implemenation services that are
not required will be disabled or access to them restricted to reduce overall security exposure.
9.9.5.1 Small Servers

TCP and UDP small servers will be disabled. This is done to reduce the exposure to any attacks
and known bugs.
9.9.5.2 Finger Service

Cisco routers provide an implementation of the “finger” service, which is used to discover the
users that are logged into a device. The information it provides could be useful to an attacker.
The service is enabled by default. The finger service will be disabled.
9.9.5.3 IP Source Routing

IP Source Routing enables the sender of a datagram to specify the route the datagram will take on
route to its destination, and generally the route that any reply will take when returning to the
originator. Although enabled by default, source routing is rarely used and could be used by an
attacker.
IP source routing will be disabled on the WAN router.
This will cause the router to drop any IP packet that carries a source route option.
9.9.5.4 IP Directed Broadcasts
An IP Directed Broadcast is a datagram sent to the broadcast address of a subnet to which the
sending device is not directly attached. The directed broadcast is routed through the network as a
unicast packet until it arrives at the target subnet, where it is converted into a data-link-layer
broadcast.
IP Directed Broadcasts are rarely used for legitimate purposes, and are utilised in the “SMURF”
and other related attacks. The service is enabled in IOS versions prior to version 12.0 and
disabled in IOS versions greater than 12.0.
Directed broadcasts will be disabled on all interfaces.
9.9.5.5 IP Redirects
IP Redirect messages are enabled by default, and instruct an end device to use a specific router in
its path to a destination. By design, a router will send redirects only to hosts on its local subnet,
no end device will ever send a redirect, and no redirect will be sent more than one network hop
away. However, an attacker may violate these rules to launch an attack on a network. ADEC do
not require IP Redirects and such they will be disabled on all network infrastructure devices.
.
85 Version 1.6
9.9.5.6 PAD Service

Security Audit disables all Packet Assembler/Sisassembler (PAD) commands and connections
between PAD devices and access servers whenever possible.
The PAD Service will be disabled on all network infrastructure devices.
.
9.9.5.7 HTTP Server
Cisco IOS has an inbuilt HTTP server to allow management from a Graphical User Interface
(GUI) front-end.
Although the IOS inbuilt HTTP server has its uses, this service will be disabled on all network
infrastructure devices.
9.9.5.8 DHCP Server

The DHCP server will be disabled on all of the ADEC Access Switches as it is not required.
Disabling the DHCP server or relay agent on devices will mitigate a potential for Denial Of
Service (DOS) attacks.
The DHCP service on the Core Switch will be left enabled, as the Core Switch will act as a DHCP
server.
9.9.6 Enable Protection Services

Cisco routers and switches support a number of services that can be enabled on a device to
improve the overall security of a network. The services below have been reviewed in the context
of the ADEC network to ensure they will not adversely affect the operation of the network.
9.9.6.1 Enable TCP Keepalive Feature

Idle logged-in user sessions can be susceptible to unauthorized access and hijacking attacks. By
default, Cisco routers do not continually test whether a previously connected TCP endpoint is
still reachable. If one end of a TCP connection idles out or terminates abnormally (for example,
crashes or reloads), the opposite end of the connection may still believe the session is available.
These “orphaned” sessions use up valuable router resources. Attackers can take advantage of this
weakness to attack devices.
To mitigate this problem, the Cisco routers will be configured to send periodic keepalive
messages to ensure that the remote end of a session is still available. If the remote device fails to
respond to the keepalive message, the sending router will clear the connection. This immediately
frees router resources for other more important tasks.
TCP keepalives will be enabled on the WAN router.
9.9.6.2 TCP Synwait

Setting the TCP synwait time to 10 seconds causes the router to shut down an incomplete TCP
connection after 10 seconds, preventing the build up of incomplete connections to the host.
The TCP synwait time will be set to 10 seconds on the WAN router.
9.9.7 Preventing Unauthorized Access

9.9.7.1 Enable Secret
The enable secret command is used to set the password that grants enable access to the IOS
system.
All ADEC devices will be configured with an enable secret password. Additionally, since the
enable secret command simply implements an MD5 hash on the configured password, strong
passwords will be chosen to prevent dictionary attacks.
86 Version 1.6
9.9.7.2 Service password-encryption

With the exception of the enable secret password, all IOS device passwords are by default stored
in clear text form within the device configuration.
Password encryption will be enabled on all network infrastructure devices.
.
9.9.7.3 Local Authentication

Local authentication will be configured on both the VTY lines as well as the device console.
Local usernames and passwords will be configured on the Access Switches and Core Switch for
authenticating users.
9.9.7.4 Restricting VTY access to NMS Subnet

As well as authenticating users accessing the network devices using local username and
passwords, access to the Virtual Terminal (VTY) will also be locked down to certain addresses
only.
Access via the VTY lines will be locked down to access from specific source addresses on the
NMS subnet in the ADEC Head Quarters.
9.9.7.5 Limiting Remote access to SSH
SSH will be permitted to manage the infrastructure devices.
9.9.7.6 Configuring SSH

The following SSH parameters will be configured:
1. SSHv2 be used
2. SSH timeouts will be 5 minutes
3. All SSH access should be logged locally

Note When prompted for the size of the RSA key module, specify a value greater than 768 bits as
this is a requirement to use SSHv2.

Note The ADEC requirement for specifying a 5 minute timeout cannot be met as the maximum
SSH timeout value which can be specified is 120 seconds which is 2 minutes. It has
therefore been set to 120 to be as close to the requirement as possible.
9.9.7.7 Tiered Access Privileges

Tiered access privileges will be enabled. Tiered access privileges will be enabled using local
configuration.
With tiered access privileges the network administrators can assign a username and password
with different privileges to network support staff. User accounts with the following privileges
will be configured.
 Privilege level 15
 Privilege level 0
Privilege level 15 will allow the user full unrestricted access to the device. This level of access is
given to senior network administrators only.
87 Version 1.6
Privilege level 0 will allow the user full exec level access. No configuration changes are
permitted at exec level. At this level the user can issue show commands. This level of access is
given to network support staff.
9.9.8 Restricting Access using Access Control Lists (ACLs)

9.9.8.1 Management Subnet ACLs
The following security matrix will be implemented. The policy below will allow only the NMS
subnet and the Access Points to access the Management VLAN.
Table 37 Restricting Access to Management Subnet
VLAN Subnet Permitted

NMS
100
AP
To enforce the above policy an ACL will be configured on the Management SVI on the Core
Switch.
9.9.8.2 Guest Access ACLs

The following security matrix will be implemented. The policy below allows the guest access to
DNS and internet (via proxy) only.
Table 38 Restricting Guest Access
VLAN Destination Permitted

Internet (via Proxy)
Guest
DNS
To enforce the above policy an ACL will be configured on the Guest SVI on the Core Switch.
9.9.9 Login Banners

For both legal and administrative purposes, configuring a system-warning banner to display
prior to login is a convenient and effective way of reinforcing security and general usage policies.
By clearly stating the ownership, usage, access, and protection policies prior to a login, future
potential prosecution becomes a more solidly backed case.
A login banner will be configured on every device stating that access is restricted.
9.9.10 Service Nagle
When using TCP to send keystrokes between machines, TCP tends to send one packet for each
keystroke typed, which can use up bandwidth and contribute to congestion on larger networks.
John Nagle's algorithm (RFC 896) helps alleviate the small-packet problem in TCP. The first
character typed after connection establishment is sent in a single packet, but TCP holds any
additional characters typed until the receiver acknowledges the previous packet. Then the
second, larger packet is sent, and additional typed characters are saved until the
acknowledgment comes back. The effect is to accumulate characters into larger chunks, and pace
them out to the network at a rate matching the round-trip time of the given connection.
The Nagle service will be enabled as a network optimization technique.
88 Version 1.6
10. Wireless Infrastructure
10.1 Wireless Network Design Overview

The wireless LAN design is based on the Cisco Unified Wireless Network architecture. The Cisco
Unified Wireless Network is composed of two infrastructure elements that work together to
deliver a unified “enterprise class” wireless solution. The two infrastructure elements are
Mobility Platform and Network Unification.
Mobility Platform: Access Points dynamically configured and managed through Control And
Provisioning of Wireless Access Points (CAPWAP).
Network Unification: Wireless LAN Controller provides integration of the wired and wireless
network for unified network control, scalability, security and reliability.
The Access Points will utilize the Access Layer network to connect wireless clients to the ADEC
network infrastructure. The solution utilizes a centralized architecture, where the processing of
802.11 data and management protocols and Access Point capabilities is distributed between a
lightweight Access Point and a centralized Wireless LAN Controller as shown in the figure
below.
Figure 14 Split MAC Architecture
Time-sensitive activities, such as beacon handling, handshakes with clients, Media Access
Control (MAC) layer encryption, and Radio Frequency (RF) monitoring, are handled in the
Access Point. All other functions are handled in the Wireless LAN Controller, where system-
wide visibility is required. This includes 802.11 management protocol, frame translation, and
bridging functions, as well as system-wide policies for user mobility, security, QoS, and real-time
Radio Frequency (RF) management.
Communication between the Wireless LAN Controller and the lightweight Access Points is
enabled using the Control and Provisioning of Wireless Access Points protocol (CAPWAP).
CAPWAP also defines the tunneling mechanism for data traffic.
In the ADEC deployment, CAPWAP will be used for the communication between the Wireless
LAN Controller and the access points.
89 Version 1.6
Wireless Infrastructure
In a CAPWAP environment, a lightweight Access Point discovers a Wireless LAN Controller by

using CAPWAP discovery mechanisms and then sends it a CAPWAP join request. The controller
sends the access point a CAPWAP join response allowing the access point to join the controller.
When the Access Point is joined, it attempts to download new operating system software if the
versions on the Access Point and controller do not match. CAPWAP secures the control
communication between the Access Point and controller by means of a secure key distribution,
utilizing X.509 certificates on both the Access Point and controller.
10.2 Wireless Software

The software release for the Cisco Wireless LAN solution is depicted in the following table. This
stable code has been tested and widely deployed in the field.
Table 39 WLC Software Releases
Component Release Notes

Cisco 5508 Wireless LAN 7.3.112.0 Stable code widely deployed in the field.
Controller
Cisco 5508 Wireless LAN Controller is selected because it is software license based. In the ADEC
deployment, 50 and/or 25 licenses will be deployed. The integrated WLC and Wireless LAN
Module, installed in the WAN router, both come with fixed licenses, hence are not recommended
for the ADEC school site iomplementation.
The latest software release 6.0.199.0 is selected, as it has been deployed in many enterprise
customers. Although previous software versions support the same features as the latest release,
there are bugs in the previous vesions that have been rectified in the latest release.
10.3 RF Design Requirements

A fundamental goal of this Wireless LAN deployment is to provide sufficient “coverage” and
“capacity” required to support the specified end-user applications. Cisco will conduct site survey
for all schools to ensure required coverage is provisioned in the schools in line with the ADEC
coverage requirements.
10.3.1 Coverage
Coverage defines the ability of wireless clients to connect to a wireless Access Point with a signal
strength and quality high enough to overcome the effects of RF interference. The edge of the
coverage area for an Access Point, data network is based on the signal strength and Signal-to-
Noise Ratio (SNR) measured as the client device moves away from the AP. The signal strength
required for good coverage will vary depending on the specific type of client devices and
90 Version 1.6
applications on the network. To determine the edge of the coverage for a data network, refer to
the values listed in the table below.
A site survey will be conducted to maintain the required signal strength in the critical, normal
and lite areas; however location and installation of Access Points in the school sites will meet the
ADEC requirements for coverage and signal strength as depicted in the table below.
Table 40 ADEC Signal Strength Req.
Area Signal Strength

Critical Areas -70 dBm
Normal Areas -72 dBm
Lite Areas -75 dBm
Coverage not required: No coverage is planned for Mosque, outdoor/playground and washroom
91 Version 1.6
Table 41 Coverage Areas
Critical Areas Normal Areas Lite Areas Coverage Not Reqd

Admin (5 ~10 users) Corridor Stairs Washroom
ICT (30 users per Classrooms (5 ~ 10 users) Kitchen Outdoor / Playground
Lab)
Teacher/Principal Cafeteria Mosque
Library Theatre
Conference Room Science Lab
Art /Music Room
Sports Room
10.3.2 Capacity
An individual wireless Access Point has the capacity to handle 20 to 25 concurrent data client
associations. However, because a wireless LAN is a shared medium and acts as a wireless hub,
the performance of each user decreases as the number of users on an individual Access Point
increases. The user count will be taken into account during the site survey process, and
appropriate number of APs will be deployed.
Additional bandwidth in the selected areas will be provided in the future by adding APs as
required.
10.3.2.1 IEEE 802.11a

IEEE 802.11a operates in the less cluttered 5 GHz radio frequency spectrum. With a maximum
data rate of 54 Mbps, this standard offers a fivefold performance increase over the 802.11b
standard. Therefore, it provides greater bandwidth for particularly demanding applications.
802.11a operating on 5 GHz provides for as many as 12 non-overlapping channels compared to
the three channels available in 2.4 GHz. Using channel binding on dual channels, 802.11n users
can attain bandwidth up to 300 Mbps.
802.11a radio is disabled in the WLC. It is reserved for future applications.

10.3.2.2 IEEE 802.11g
802.11g delivers the same 54 Mbps maximum data rate as 802.11a, yet it provides backward
compatibility with 802.11b equipment. This means that 802.11b client cards will work with
802.11g APs, and 802.11g client cards will work with 802.11b APs.
802.11g radio will be used in ADEC deployment.
10.3.2.3 IEEE 802.11n

802.11n delivers higher data rates (108 Mbps) than 802.11g and 802.11a by using the Multiple
Input Multiple Output (MIMO) technology and wider channels (40 MHz). It is backward
compatible with 802.11g client cards.
802.11g/n radio will be used in ADEC deployment.
10.3.2.4 Channel Binding

Cisco allows channel binding by combining two 20 MHz channels together to enable a 40 MHz
wide channel.
92 Version 1.6
Channel Binding should only be done in the 5GHz frequency range since there are up to 21
channels to use. In the 2.4GHz range there are only 3 channels (1, 6 and 11), therefore, channel
binding is not feasible.
In the ADEC deployment, channel bindings will not be provisioned for 802.11g/n mode due to
the limited number of channels.
10.4 Wireless Access Point Deployment

10.4.1 Access Points and Antennas
Cisco Aironet Series IEEE 802.11a/g/n Access Points provide client connectivity and other time-
sensitive activities, such as beacon handling, Media Access Control (MAC) layer encryption, and
RF monitoring as part of the Cisco Unified Wireless Network. ADEC has standardized on the
Cisco Aironet 1140 a/g/n for indoor and Cisco Aironet 1260 a/g/n lightweight Access Points for
partial open areas. The Cisco Aironet 1260 a/g/n Access Point is designed specifically for
challenging RF environments like partial open school hallways, and other areas that require
versatility associated with connectorized antennas, a rugged metal enclosure, and a broad
operating temperature range. The Cisco Aironet 1260 a/g/n requires external antennas. Built-in
antennas provide omni-directional coverage specifically designed for today's open workspaces.
In ADEC deployment, the Cisco Aironet 1260 a/g/n Access Point will be used in partially open
areas. External a/g/n antennas will be installed on the 1260 Access Points.
10.4.2 Access Point Location and Installation

The physical locations for wireless Access Points will be determined by a verified Site Survey as
part of the planning process for the ADEC school buildings.
The Cisco Aironet 1140 a/g/n and Cisco Aironet 1260 a/g/n Access Points will be mounted on
the smooth ceiling or below standard suspended ceiling. Side wall mounting will be used where
ceilings are high or running a conduit through the crown moulding is not feasible. Mounting the
Access Point above the ceiling may be preferred for aesthetics or security reasons, but can cause
issues with coverage and interference. Mounting the Access Point below the suspended ceiling
provides easier physical access and visibility of the status LED’s making support easier.
The Access Points will be mounted below the suspended ceiling in the ADEC school site
implementation.
Because the Access Point is a radio device, it is susceptible to interference that can reduce
throughput and range. To ensure the best possible performance, the Access Points will be
installed in areas where metal structures such as shelving units, bookcases, filing cabinets, and
metal grid work do not block the radio signals to and from the Access Point.
The Access Point will be installed away from microwave ovens. Microwave ovens operate on the
same frequency as the Access Point and can cause signal interference.
The Access Point will be installed at least 6 to 8 feet away from any other radio antenna systems.
The energy from other radio transmitters can overpower the Access Point’s receiver and act like
noise reducing the signal-to-noise ratio.
A single Category 6 (CAT6) data cable will be run from the nearest Intermediate Distribution
Frame (IDF) to each Access Point’s location. Note that the limitation of the cable run from the
IDF to the AP is 90 meters. Structured cabling in the school site will connect to the RJ-45 auto-
sensing 10/100/1000 Mbps Ethernet port on the Access Point. During the physical installation of
the Access Point it is important to document the MAC address and physical location of all Access
Points. This information will be required when naming the Access Points after connecting them
to the Wireless LAN Controller.
93 Version 1.6
10.5 Connecting the Access Points to the Network

10.5.1 Access Layer Switch Port Requirements
The Access Point’s auto-sensing Ethernet port accepts an RJ-45 connector, connecting the Access
Point to the ADEC LAN. Cisco Aironet lightweight Access Points do not use VLAN tagging.
Access Points will be connected only to untagged (i.e., non-trunk) ports on the Access Switch.
Cisco lightweight APs by default obtain their IP address via DHCP. The Core Switch will service
DHCP requests and will provide the APs with an IP Address.
The WLC configuration guidelines indicate that by enabling portfast mode on the Access Switch,
it allows the Access Point to rejoin a Wireless LAN Controller approximately 30 seconds faster
after a reboot. Portfast will be enabled on the switch port.
10.5.2 DHCP Server Requirements

To facilitate AP discovery of Wireless LAN Controller using DHCP Option 43, the DHCP Server
will be configured to return Wireless LAN Controller Management Interface IP addresses based
on the AP’s Vendor Class Identifier (VCI). This involves configuring the DHCP Server to
recognize the VCI for each Access Point type and then defining the vendor specific information
that is returned in Option 43, on a per scope basis, for each VCI.
Cisco Aironet Access Points use the Type-Length-Value (TLV) format for DHCP Option 43.
DHCP servers must be programmed to return the option based on the access point's DHCP VCI
string (DHCP option 60).
When configuring DHCP servers to offer Wireless LAN Controller IP addresses as Option 43 for
Cisco Aironet lightweight Access Points, the format of the TLV block is:
Type: 0xf1 (decimal 241)
Length: Number of controller IP addresses * 4
Value: List of WLC management interfaces (typically translated to hexadecimal values)
The Core Switch in each school site will be used as a DCHP server to provide the IP addresses to
the Access Points. The Wireless LAN Controller will be configured as a secondary DHCP server
to provide IP addresses, in the event of failure of the primary DHCP server, to wireless clients
only.
Lease Time will be configured in the DHCP server as follows:
Table 42 DHCP Lease Times
Device Lease Time Clients

Core Switch 7 Days Wired and Wireless Clients
WLC 8 Hours Wireless Clients
10.5.3 Electrical Power

Each Cisco Aironet dual-band Access Point requires a 57 VDC power source capable of providing
sufficient power to enable both radio modules as summarized in the following table.
94 Version 1.6
Table 43 Cisco Aironet Access Point Power Draw
Cisco Aironet Access Point Power Draw

Cisco Aironet 1260AG 12.95 Watts
Cisco Aironet 1140AG 12.95 Watts
The power draw listed does not include factors such as voltage and cable resistance. These
factors have been considered when selecting a power option.
For ADEC school implementation, Cisco PoE+ Access Switches will be used to provide inline
power to the access points.
10.6 Wireless LAN Controller Deployment

10.6.1 Wireless LAN Controller
The Cisco 5508 Wireless LAN Controller implements security policies, QoS policies, RF
management and mobility management as part of the Cisco Unified Wireless Network. Cisco
5508 will be deployed at each ADEC school site, which can support up to 500 Cisco lightweight
APs.
10.6.2 CAPWAP Transport Mode

Control and Provisioning of Wireless Access Points (CAPWAP) is a standard interoperable
protocol, which enables a Wireless LAN Controller to manage a collection of wireless Access
Points. Layer 3 CAPWAP transport mode will be deployed for communications between AP and
controller. In a Layer 3 CAPWAP deployment, AP and controller can be directly connected,
connected to the same IP subnet, or connected to a different IP subnet. In the ADEC school
implementation, the APs and Wireless LAN Controller will be connected on different IP subnets.
APs will obtain their IP address using DHCP from the Core Switch. When an AP is powered up,
it will make a DHCP request and attempt a Layer 3 association with the WLC.

Note Once an AP obtains its IP address through DHCP, the AP will attempt to join a WLC using
pre-configured WLC information. The AP will try to communicate with the WLC and
download its configuration and firmware upgrades if available.
10.6.3 Wireless Client Mobility

Wireless client mobility (or “Roaming”) refers to movement of clients between wireless Access
Points. WLC supports client roaming across APs in the network. This roaming is transparent to
the client as the session is sustained and the client continues using the same IP address.
All the wireless users in the school will have seamless roaming except for areas where coverage is
excluded.
10.6.4 RF Planning
10.6.4.1 Radio Transmit Power and Channel Assignment
The AP radio’s Transmit Power setting significantly impacts the coverage of the AP (i.e., “cell
size”). Using higher power levels will increase the range in which clients can associate with the
Access Point. In contrast, using lower power levels will reduce both the AP cell size and
interference between cells and increase the capacity of the wireless LAN.
95 Version 1.6
For 2.4 GHz networks, 3 non-overlapping channels are available. These channels represent
scarce resources that must be properly allocated and managed in order to minimize interference
and maximize performance in a multi-AP environment such as a school campus. Access Points
are usually deployed in cellular fashion within an enterprise where adjacent Access Points are
allocated non-overlapping channels.
The Wireless LAN Controller dynamically configures the radio transmit power and channel
assignments for Access Points. It will analyse the RF environment to optimize the Transmit
Power setting and minimize black hole effect based on radio resource monitoring information
reported by Access Points. Similarly, the Wireless LAN Controller’s dynamic channel
assignment capabilities are useful in minimizing co-channel interference between adjacent AP.
Because the RF environment may change over time, to maintain stability of AP RF settings,
dynamic power and channel assignment will update in 10 minute intervals. To provide this
ease of administration and flexible configuration of the RF environment, dynamic power and
dynamic channel assignment will be used at the ADEC. Dynamic power and channel
assignments, however, behave differently in various environments and will need to be tested in
each school. In addition to testing, manual tuning of RF power and channel settings may need
to be validated and optimized during the optimization exercise to achieve optimal performance.
10.6.5 Redundancy and AP Load Balancing

10.6.5.1 Wireless LAN Controller
Access Points are assigned to their individual Wireless LAN Controller using a deterministic
model. In this deterministic model, APs are instructed to join a specific Wireless LAN
Controller during both normal operation, and in the event that their primary controller
becomes unavailable. Access Points are grouped together and assigned to individual Wireless
LAN Controllers based on the physical location of the Access Points. This grouping minimizes
inter-controller roaming events, resulting in optimal network performance. In addition,
deterministic AP assignment provides predictable failover behaviour, and failover times are
minimized because APs will not need to complete the entire WLC hunting and discovery
process.
10.6.5.2 Access Point Redundancy

AP redundancy is provided by Radio Self-Healing feature. With AP Self-Healing, the system
will raise the power levels and adjust channel selection of the neighboring APs to compensate
for the lost coverage in the event of an AP failure. The AP is determined to be lost when the
neighbor APs are no longer seeing RF neighbor messages from the failed AP. It is important to
note that the wireless coverage must be designed during the site survey to support Self-
Healing. Specifically, APs must be placed so that it has at least one power level available to
step up if RF Self-Healing is triggered.
Critical Admin areas within each school site have been defined by ADEC where sufficient AP
overlap will be provisioned to provide RF coverage in case of an AP failure.
10.6.6 Wireless Client Security

An effective wireless client security solution consists of two principal components:
Authentication and Confidentiality. “Authentication” serves the purpose of verifying that
Wireless LAN users are in fact valid users. If a user is not authenticated, they are denied access
to the wireless network. “Confidentiality” is enabled through encryption which protects data
traffic that travels over the wireless LAN infrastructure by changing the messages with a hashing
algorithm so that they cannot be intercepted and/or altered by unauthorized parties who may be
in the air space of the wireless communication.
The ADEC data security policy requires that wireless network access has Open authentication
and strong levels of standards-based encryption. ADEC will have WPA and WPA2 compliant
96 Version 1.6
Staff and Student users on their wireless network. Guest users will use Captive Portal to connect
to the Intranet.
Authentication and data encryption are the key components of wireless LAN security to help
prevent unauthorized users from accessing the network and compromising confidential
information.
10.6.6.1 Data Clients
In the ADEC school site implementation, Staff and Student users will be using
username/password credentials in the Captive Portal, along with WPA/WPA2 encryption to
connect to the wireless infrastructure. Guest users will connect to the wireless infrastructure
using the Guest SSID and no encryption. Guest users will be provided with username/password
credentials via Captive Portal to only access internet.
Table 44 WLAN/SSID Roles and Security
SSID Description Authentication L2 + L3 Encryption

Staff Staff users open WPA / WPA2(AES) +
Web-Auth (Captive Portal)
Student Student users open WPA / WPA2(AES) +

Web-Auth (Captive Portal)
Guest Guest users open open (Captive Portal)
10.7 Cisco Unified Wireless Security Features

Cisco Unified Wireless solution includes the following security features:
10.7.1 Peer-to-peer blocking

The WLC will be configured to block communication between clients on the same WLAN. This
prevents potential attacks between clients on the same subnet by forcing communication through
the core switch.
10.7.2 Wireless Intrusion Detection System (IDS)

The WLC performs wireless LAN IDS analysis using all the connected APs, and reports detected
attacks to the WLC. The embedded wireless IDS capability of the WLC analyses 802.11 and WLC
specific information that a wired network IDS system cannot analyse.
10.7.3 Client exclusion

In addition to wireless IDS, the WLC is able to take additional steps to protect the WLAN
infrastructure and wireless LAN clients. The WLC will implement policies that exclude wireless
LAN clients whose behaviour is considered threatening or inappropriate.
The folowing client exclusion policies will be enabled in the ADEC implmentation.
 Excessive 802.11 association failures—Possible faulty client or DoS attack

 Excessive 802.11 authentication failures—Possible faulty client or DoS attack
 Excessive 802.1X authentication failures—Possible faulty client or DoS attack
 IP theft or IP reuse—Possible faulty client or DoS attack
 Excessive web authentication failures—Possible DoS or password-cracking attack
97 Version 1.6
Client Exclusion will be enabled in the WLC for all the SSIDs.
10.7.4 Rogue AP detection

The Cisco Unified Wireless Networking solution provides a complete rogue AP solution, which
provides the following:
 Air/RF detection—Detection of rogue devices by observing/sniffing beacons and 802.11

probe responses
 Rogue AP location—Use of the detected RF characteristics and known properties of the
managed RF network to locate the rogue device
 Wire detection—A mechanism for tracking/correlating the rogue device to the wired
network
 Rogue AP isolation —A mechanism to prevent client connection to a rogue AP
ADEC will manually contain the Access Points classified as “Rogue” using the Wireless LAN
Controller.
10.8 Network Management

Users with full privileged access to the WLC will use the “Loginwlc” username, whereas Lobby
Ambassadors, users that have limited privileges and are only able to create usernames and
passwords, will use the “Operator” username.
Access to WLC will be provided to the school Principal to create usernames and passwords for
all the wireless clients.
Access to WLC will be provided by using local username and password as per ADEC policy.
Both successful and failure user attempts will be logged by default on the WLC.
10.9 Cisco Wireless LAN Controller Configuration

10.9.1 WLC IP Addressing
10.9.1.1 Wireless LAN Controller AP-Manager and Management
The Wireless LAN Controller has an in-band management IP-address named “management”
which is used for control access via snmp, https, ssh. The Ethernet over IP (EoIP) tunneling
tunnels traffic use this address to encapsulate the traffic up to the tunnel termination point for L3
roaming. DHCP servers must return this address in option 43 to the AP. The Access Point will
then send CAPWAP discovery request to this address. The CAPWAP discovery reply returned
by the WLC will provide the AP-manager IP address. After the discovery process, all CAPWAP
traffic between AP and WLC will work using “AP-manager” ip-address.
The ADEC network is a Layer 3 infrastructure with a collapsed Core/Distribution and Access
Layers. The Layer 3 infrastructure separates the Wireless LAN Controllers from the AP
connected to the Access Switches. AP-manager interface(s) are configured in the same subnet as
the management interface; separate subnets are used for the APs.
10.9.2 WLC IP Addresses on the Dynamic VLANs

VLANs associated with SSIDs are called dynamic VLAN. The WLC is a L2 device and does not
play any role on these VLANs (except forwarding the client frames it receives from the AP via
the CAPWAP tunnel) however; the WLC will be configured with IP address on each VLAN’s
subnet for inter-VLAN connectivity.
98 Version 1.6

Note The WLAN controller acts as a switch where multiple VLAN’s can be configured, but inter-
VLAN connectivity is only possible via a L3 device. A Default Gateway will be configured
for each interface (except service-port).
10.9.3 Client IP Addresses

The clients will get their IP addresses from the Primary and Secondary DHCP server. The Core
Switch at each site will be used to provide DHCP services to clients.
In the event of a failure to the Primary DHCP server, the Wireless LAN Controller will be used as
a Secondary DHCP server for wireless clients only. Lease time in the WLC will be configured for
8 hours.

Note There is no need for ”ip helper-address” on the switch because the dhcp relay function of
the WLC will unicast the dhcp request to the DHCP server.
10.9.4 WLC General Parameters

The following parameters will be configured or checked on the Wireless LAN Controller:
Figure 15 Disable OTAP
Over the Air Provisioning – Disabled
It is possible for an AP to get WLC info from another AP using OTAP (Over The Air
Provisioning). This will be disabled for security reasons.
Figure 16 Disable Aggressive Load Balancing
Aggressive Load Balancing – Disabled
This parameter allows a controller managing multiple neighbouring APs to load balance users
among them. This function applies per controller and requires adjacent APs to be connected to
the same WLC. In order to be activated, the following conditions should be met.:
 The user should receive a good signal from at least two APs
 The busiest AP should have at least “window” (pre-defined variable) users more than the
second, less busy, AP.
If these conditions are met, if both AP are associated to the same controller and Aggressive Load
Balancing is enabled, a user will be pushed to associate to the less busy AP.
Aggressive Load Balancing will be disabled to achieve consistent user experience and avoid
unnecessary roaming from one Access Point to another.
Figure 17 Enable LAG Mode
LAG mode – Enabled
99 Version 1.6
LAG Mode will be enabled to form an Etherchannel with the Core Switch. The Etherchannel will
provide higher bandwidth as well as redundancy between the Core Switch and the WLC.
Figure 18 Enable L3 LWAPP Mode
LWAPP mode – L3
LWAPP mode will be configured for L3. The LWAPP tunnel will be formed using the WLC AP-
manager IP address.
Figure 19 Disable Multicast Mode
Ethernet Multicast Mode – Disabled
Multicast will be “Disabled” (No multicast traffic). In ADEC school site implementation, there are
no multicast requirements on the wireless network.
Figure 20 Default Mobility Name
Default Mobility Domain Name – @DEC4580
The mobility group is used to define the roaming domain. “@DEC4580” will be used as Mobility
Domain Name across all ADEC school sites.
Figure 21 RF Network Name
RF-Network Name – @DEC4580
An RF network links all controllers among which roaming will be possible, using the RF
proximity coverage. If two locations are too far from each other, they could still be part of a single
mobility group, however two RF networks will be required as roaming between separate
buildings would not be possible.
“ADEC” will be used as the RF Network Name across all the schools.
10.9.5 WLC Interfaces

After the initial setup, four interfaces will be created:
 “AP-manager” is the first IP address used for interfacing to the AP

 “management” is the in-band management interface
 “Service-port” The Service-port interface is reserved for out-of-band management of the
controller and system recovery and maintenance in the event of a network failure.
 Virtual interface is configured identically on all WLAN controllers who are part of the
same mobility group. The virtual interface is used for DHCP relay, Mobility
management and Layer 3 security (WEB authentication) features.
100 Version 1.6

Dynamic Interfaces for the SSID for the traffic leaving the controller will be added. These
interface names will typically be referred in the WLAN configuration when mapped directly the
SSID to a VLAN.
10.9.6 Mobility Group

A Wireless LAN Controller can be member of a single mobility group of which up to 24 Wireless
LAN Controllers can be included within a single mobility group. The Wireless LAN Controller
members of this mobility group must be introduced manually. In ADEC schhol site
implementation, additional controllers will not be required as there is a single WLC per school
site.
Table 45 Mobility Group
Interface MAC address IP Addresses

WLC <-Mac address-> xx.xx.xx.xx
10.9.7 Wireless LAN (WLAN) Configuration

There will be three SSIDs configured one for each of the following categories:
1. Staff
2. Student
3. Guest
A WLAN will be configured for each SSID. A single WLAN is configured during the initial setup.
The other SSIDs will be configured after the initial configuration wizard process.
Table 46 WLAN / SSID
Section Parameters SSID SSID SSID

Staff Student Guest
During creation Profile name Staff Student Guest
During creation SSID Staff Student Guest
General WLAN Status Enabled Enabled Enabled
General Radio Policy g/n g/n g/n
General Interface Staff Student Guest
General Broadcast SSID Disabled Enabled Enabled
Security Layer 2 Layer2 Security WPA + WPA2 WPA + WPA2 none
Security Layer 2 MAC Filtering No no no
Security Layer 2 WPA policy Enabled Enabled n/a
Security Layer 2 WPA Encryption TKIP TKIP n/a
Security Layer 2 WPA2 Policy Enabled Enabled n/a
Security Layer 2 WPA Encryption AES AES n/a
Security Layer 2 Auth Key Mgmt n/a n/a n/a
Security Layer 3 Layer3 Security Enabled Enabled Enabled
Security Layer 3 Web policy Yes Yes Yes
Security AAA Authentication none none none
server Server 1
Security AAA Authentication none none none
server Server 2
Security AAA Accounting none none none
server
Security AAA LDAP Servers none none none
server
Security AAA Local EAP no no no
101 Version 1.6

Section Parameters SSID SSID SSID

Staff Student Guest
server Authentication 2
QoS Quality of Services Silver Silver Silver
QoS WMM Policy Allowed Allowed Allowed
QoS 7920 AP CAC No no no
QoS 7920 Client CAC No no no
Advanced Allow AAA No no no
Override
Advanced H-REAP Local No no no
Switching
Advanced Enable Session Disabled Disabled Disabled
Timeout
Advanced IE Enabled Enabled Enabled
Advanced Diagnostic Channel No no no
Advanced IPV6 Enable none none none
Advanced Override Interface No no no
ACL
Advanced P2P Blocking Enabled Enabled Enabled
action
Advanced Client Exclusion Enabled/60 Enabled/60 Enabled/60
Advanced DHCP Server No no no
Override
Advanced DHCP Addr Assig. Enabled Enabled Enabled
Required
Advanced Infrastructure MFP Enabled Enabled Enabled
protection
Advanced MFP client Optional Optional Optional
protection
10.9.8 Management Features

10.9.8.1 SNMP
The WLC supports SNMP versions 1, 2 and 3. SNMP version 3 will be configured for ADEC. The
SNMPv3 username and password will be provided by ADEC.
10.9.8.2 HTTP / HTTPS

Access to WLC GUI will be provided using HTTPS. HTTP option will be disabled.
An HTTPS web session timeout value of 30 minutes will be used on the WLC. This value cannot
be set lower than 30 minutes as this is a limitation of the WLC 5508.
10.9.8.3 Telnet / SSH
Telnet will be disabled and SSH will be used for remote management.
ADEC have requested an SSH timeout of 5 minutes. The Default timeout setting on the WLC
will be set as 5 minute.
10.9.8.4 NTP
The configuration of correct time on the Wireless LAN Controller is critical for the correct
working of the wireless network.
102 Version 1.6

NTP is required for the usage of X.509 certificate on the Access Point. The X.509 certificate is used
during the CAPWAP join process with the Wireless LAN Controller. The validity interval begins
at the time the X.509 certificate is provisioned on the Access Point at the factory, so it is extremely
important to keep the Wireless LAN Controller date and time accurate and current.
The timing on the Wireless LAN Controller will be set correctly via NTP servers (wireless
controller being an NTP client). The Wireless LAN Controller will use the school site Core Switch
as the NTP server.
10.9.8.5 WLC Login Banner
A login banner will be downloaded from a file using the GUI. The login banner is the text that
appears on the screen before user authentication when the Wireless LAN Controller is accessed
via the GUI or CLI using Telnet, SSH, or a console port connection.
The login banner information will be saved as a text (*.txt) file on the WLC, however the text file
cannot be larger than 1500 bytes and cannot have more than 18 lines of text.
WLC Login Banner will be used in the ADEC school site implementation.
103 Version 1.6

11. Appendix A – School Dependencies
ID School Dependencies Owner

IPVPN (WAN) connectivity up to Data Centre to test remote services (ie internet
TD001 access) ADEC
TD002 DHCP server availability local or remote to provide IP address for clients PC ADEC
SNMPv3, Syslog and SSHv2 services require NMS availability in the Data Centre with
TD003 appropriate IP address, SNMP community etc ADEC
TD004 IP scheme and VLAN mapping need to be completed for lan switchport configuration ADEC
TD005 For time synchonization, central NTP server is required in the Data Centre ADEC
if mandatory in Exit Strategy, Microsoft services must be available in the Data Centre to
TD006 test other services (Print Server, Email etc) in each school ADEC
TD007 Zones deployment requirements (Design/Voice) and dependencies ADEC
104 Version 1.6

12. Appendix B – WLC Initialization
System Name [Cisco_43:da:03]: <-WLC-name->
Enter Administrative User Name (24 characters max):<-WLC login->
Enter Administrative Password (24 characters max): <-password->
Re-enter Administrative Password: <-password->
Service Interface IP Address Configuration [none][DHCP]: none

Service Interface IP Address: <-service port IP address- >
Service Interface Netmask: <-service port Netmask- >
Enable Link Aggregation (LAG) [yes][NO]: YES
Management Interface IP Address: <-Management IP address->

Management Interface Netmask: 255.255.255.0
Management Interface Default Router: <-Management SVI 4507R-E->
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface DHCP Server IP Address: <-Management SVI 4507R-E->
AP Transport Mode [layer2][LAYER3]: LAYER3
AP Manager Interface IP Address: <-AP Manager IP address->
AP-Manager is on Management subnet, using same values

AP Manager Interface DHCP Server (<-Management SVI 4507R-E->):
Virtual Gateway IP Address: 1.1.1.1
Mobility/RF Group Name: ADEC
Enable Symmetric Mobility Tunneling [yes][NO]: NO
Network Name (SSID): Staff

Allow Static IP Addresses [YES][no]: NO
Configure a RADIUS Server now? [YES][no]: NO

Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
Enter Country Code list (enter 'help' for a list of countries) [US]: AE
Enable 802.11b Network [YES][no]: YES
Enable 802.11a Network [YES][no]: YES
Enable 802.11g Network [YES][no]: YES
Enable Auto-RF [YES][no]: YES
Configure a NTP server now? [YES][no]: <- NTP server IP address ->
Configure the system time now? [YES][no]: YES
Configuration correct? If yes, system will save it and reset. [yes][NO]: YES
105 Version 1.6

13. Glossary
Please refer to the CCO Internetworking Terms and Acronyms Guide at
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm for additional terms.
106 Version 1.6

Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters
Cisco Systems, Inc. Cisco Systems Europe Cisco Systems, Inc. Cisco Systems Australia, Pty., Ltd
170 West Tasman Drive 11 Rue Camille Desmoulins 170 West Tasman Drive Level 9, 80 Pacific Highway
San Jose, CA 95134-1706 92782 Issy-Les-Moulineaux San Jose, CA 95134-1706 P.O. Box 469
USA Cedex 9 USA North Sydney
www.cisco.com France www.cisco.com NSW 2060 Australia
Tel: 408 526-4000 www-europe.cisco.com Tel: 408 526-7660 www.cisco.com
800 553-NETS (6387) Tel: 33 1 58 04 60 00 Fax: 408 527-0883 Tel: +61 2 8448 7100
Fax: 408 526-4100 Fax: 33 1 58 04 61 00 Fax: +61 2 9957 4350
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the
Cisco Web site at www.cisco.com/go/offices.
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China • Colombia • Costa Rica • Croatia • Czech Republic Denmark • Dubai, UAE Finland •
France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico
The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Singapore • Slovakia • Slovenia South
Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
IP Surveillance System - CCTV
Specifications for ADEC Schools
October 2013
Ver 1.0
IP Surveillance System (CCTV) - Specification for ADEC Schools
Revision History
R e vi s i o n R e vi s i o n
Summary of Changes Author(s)
Number Date
1.0 01/10/2013 Original draft Hameed Jafar
Update on the following sections:

- 2.2.2.2 Firewall/core switches “cancelled”.
- 2.1.6 Network availability.
- 2.1.9 Power.
1.1 10/10/2013 Shueib Medani
- 2.1.10 Maintenance.
- 2.1.11 documentation.
- Training.
Reviewers
Name Role/Title Date Version
Shueib Medani Senior IT projects manager 10/10/2013 1.1
Yousef Alreyami PMO section manager 10/10/2013 1.1
Approvals
Name Role/Title Date Signature
Khaled Hassan ICT Operations Section Manager
Yousef Alreyami ICT PMO Section Manager
Ali Awlaqi ICT Support Section Manager
Mohammad Younes ICT Division Manager
Page 2 of 29
Table of Contents
1 Introduction ............................................................................................................................... 4
1.1 About ADEC ........................................................................................................................ 4
1.2 CCTV Requirements / Specifications for ADEC Schools.................................................... 4
1.3 Definitions and abbreviations .............................................................................................. 5
1.4 Codes & Standards ............................................................................................................. 5
2 General Requirements ............................................................................................................. 6
2.1 Security Requirements for ADEC Schools / Education Institution ...................................... 6
2.1.1 Cameras: .................................................................................................................................. 6
2.1.2 Observation criteria: ................................................................................................................ 6
2.1.3 Live monitoring and control room: .......................................................................................... 6
2.1.4 Recording requirements: .......................................................................................................... 7
2.1.5 Lighting: ................................................................................................................................... 8
2.1.6 Transmission: ........................................................................................................................... 8
2.1.7 Intrusion Detection System:...................................................................................................... 9
2.1.8 CCTV Installation requirements: ............................................................................................. 9
2.1.9 Power: ...................................................................................................................................... 9
2.1.10 Maintenance ............................................................................................................................. 9
2.1.11 Documentation: ...................................................................................................................... 10
2.1.12 Training:................................................................................................................................. 10
2.1.13 Signage:.................................................................................................................................. 11
2.1.14 General CCTV Distribution locations:................................................................................... 11
2.2 Technical Requirements as per Abu Dhabi Monitoring & Control Center (MCC) ............. 14
2.2.1 General................................................................................................................................... 14
2.2.2 Technical Requirements ......................................................................................................... 14
2.3 Specifications &Scope of Services .................................................................................... 16
2.3.1 IP Surveillance camera –Indoor IP Camera .......................................................................... 18
2.3.2 IP Surveillance camera –Indoor Speed Dome(If required) .................................................... 21
2.3.3 IP Surveillance camera – [Outdoor Camera with Built-in IR]............................................... 22
2.3.4 IP Surveillance camera –Outdoor PTZ Camera (If required)................................................ 24
2.3.5 Video Surveillance Management System:............................................................................... 25
2.3.6 NVR and Storage Specifications:............................................................................................ 25
2.3.7 Storage.................................................................................................................................... 28
2.3.8 Pre-approved Manufacturers List: ......................................................................................... 29
Page 3 of 29
1 Introduction
1.1 About ADEC
The Abu Dhabi Education Council was set up in September 2005 by His Highness General Sheikh
Mohammed Bin Zayed Al Nahayan, Crown Prince of Abu Dhabi and Deputy Supreme Commander
of the UAE Armed Forces.
The Abu Dhabi Education Council is an independent corporate body and enjoys full legal status, as
well as financial and administrative independence in all its affairs. It has its headquarters in Abu
Dhabi and has the right to set up its branches and offices inside or outside the UAE.
ADEC seeks to develop and implement innovative educational policies, plans and programs that aim
to improve education in the Emirate of Abu Dhabi and support educational institutions and staff in a
manner that helps achieve the following objectives of national development:
 Participate in the Emirate’s educational planning process within the framework of the UAE
general education policy and in coordination with the Ministry of Education
 Prepare studies and proposals for the advancement of education and vocational training
and for the enhancement of all educational institutions and their staff to enable them to
remain in line with current development in all fields
 Provide technical and material assistance to educational institutions
 Support and enhance the relationship between educational institutions and the private
sector and improve the academic and professional level of graduates, training them, and
enhancing their employment opportunities
 Provide support and technical assistance to educational institutions and coordinate their
activities in a way that enables them to implement their individual educational plans
 Establish an educational database for the Emirate of Abu Dhabi
 Encourage private educational institutions to deliver first-class educational services.
1.2 CCTV Requirements / Specifications for ADEC Schools

The goal of this document is to provide specifications for ADEC schools to design and implement a
complete Digital Security Surveillance System based on the IP Technology.
The system shall be designed, engineered, furnished, delivered, installed and tested to ensure it is
fully operating and free of engineering, installation, system operation and Original Equipment
Manufacturer (OEM) defects that provide a "turnkey" installation. The bidder must also be certified in
installing and supporting the system equipment from which they are manufactured and supplied
from. The system must have three types of recordings: motion, continuous and video analytic
recording (Only record when there are human).The system design shall enable the end-user to
monitor the CCTV Live footage anywhere in the school over the network.
All the CCTV Systems, Storage, Recorders, NVRs etc., should be kept in MDF / Cabinets on the
specified rack units.
Page 4 of 29
1.3 Definitions and abbreviations

Where used in this document, the following terms shall have the meanings indicated below, unless
clearly indicated otherwise by the context of their use
COMPANY ADEC Schools

PROJECT IP Surveillance System for ADEC Schools
CONTRACTOR/VE The party(S) which manufactures and/or supplies equipment, technical
NDOR/BIDDER documents/drawings and services to perform the duties specified
TPA Third Party Inspection Agency
CCTV Closed Circuit Television
LAN Local Area Network
VMS Video Management Software
NVR Network Video Server
NAS Network Attached Storage
UPS Uninterrupted power Supply
SAT Site Acceptance Test
PoE Power Over Ethernet
1.4 Codes & Standards

The codes and standards listed below shall be used in conjunction with this specification, the data
sheet(s) and the referenced specifications.
ANSI/TIA/EIA 568-B Commercial Building Telecommunications Cabling Standard

Commercial Building Standards for Telecommunications
ANSI/TIA/EIA 569-A,B
Pathways and Spaces
ANSI/TIA/EIA 598-B Optical Fiber Cable Color Coding
ANSI/TIA/EIA 604.2 FOCIS 2 – Fiber Optic Connector Intermateability Standard

Commercial Building Grounding Requirements for
ANSI J-STD-607-A
Telecommunications
Customer-Owned Outside Plant Telecommunications
ANSI/TIA/EIA 758
Cabling Standard
Alarm System, CCTV Surveillance System for US in Security
BS EN 50132-4-1:2001
Applications, Video Transmission
IEC 60529 Degrees of Protection by Enclosures (IP Code)
ISO -9001 Quality Management System-Requirements 2000 Edition
Page 5 of 29
2 General Requirements
2.1 Security Requirements for ADEC Schools / Education Institution
2.1.1 Cameras:
Color cameras shall be used for indoor location with guaranteed illumination of minimum 20 Lux. For
outdoor application and for indoor locations where lighting cannot be guaranteed, day/night cameras
with mechanical IR cut filter shall be used. The camera selection shall be primarily based on the
observation criteria and the lighting conditions. For Analog cameras the resolution shall be minimum
540TVL; and for digital cameras the resolution selection shall be based on the observation criteria.
WDR cameras shall be used for locations where light intensities vary greatly.
2.1.2 Observation criteria:
The selection of camera and lens for any location shall be based on certain observation criterion.
The observation criterions are classified into four general categories which are based on the relative
size of 1.6 meter tall person appearing on a monitor screen.
• Monitor & Control

• Detect
• Recognize
• Identify
2.1.3 Live monitoring and control room:
Security Control room with dedicated personnel shall be used for live monitoring of cameras; the
operators will be trained for the daily operations and event response. Control room shall be
operational on a 24 hour basis, if required. The control room shall be ergonomically designed and
shall be located in a secure area. Live monitoring shall be real time and of high resolution. The
resolution of the monitors shall exceed the highest resolution camera used. The number of monitors
in the control room will depend on the number of cameras, and the alarm integration with other
security systems. Alarm integration shall present alarms both visually and audibly to the operators.
The recommended visual alarms shall include:
• Alarms messages queued in the order of their arrival and processed based on priority levels in
queue.
• Automatic / Manual pop up of video and alarm on site maps within the operator Graphic User
Interface (GUI).
• Automated presentation of alarm video on designated monitors
The latency from trigger of alarm to automated action and display shall not exceed 200ms. The
operator shall be able to manually control any alarm processing regardless of the level of
automation.
Page 6 of 29
The following display pattern is recommended for the multiplexed view;
• Multiplexed view of max four cameras if 15" Monitors are used

• Multiplexed view of max nine cameras if 17" - 21" Monitor are used
• Multiplex view of max sixteen cameras if 25"- 32"Monitors are used.
• Minimum one monitor is recommended for selective viewing of individual cameras.
For respective schools without alarm integration, minimum one CCTV monitor per 8 cameras is
recommended. For installations with more than 80 cameras, a comprehensive CCTV solution with
Graphic user interface with maps (Plans with camera Icons) and tools such as video analytics and
integration with other security system is recommended.
Only designated people will be able to view and control live and recorded video both locally within
the facility and remotely outside the facility.
2.1.4 Recording requirements:
Cameras shall be recorded locally within the facility at camera's native resolution /12FPS for a period
of 90 days. The recording solution shall support any or all of the following compression standards
MJPEG/MPEG4/H.264. The recording solution shall support continuous, motion and alarm based
recording. The recording solution shall have 25% expansion capability to accommodate any future
.changes in recording quality or camera quantity
The storage calculation for recorded video shall be certified by the manufacturer and shall be
available for verification. Redundancy shall be incorporated into the recording design (Not
Mandatory and only Optional). Redundancy shall be considered at storage (Min. RAID 5 with hot
standby HDs) and at recorder level. Recorder level redundancy shall be such that failure of a
recorder shall not affect the overall recording of cameras and options such as automatic
redistribution of cameras from the failed recorder to a standby recorder or to other active recorders
shall be considered.
Data authentication method (e.g. watermarking, checksums, fingerprinting) shall be applied to image
and Meta data at the time of recording. Further the CCTV system shall provide a method to verify
the authenticity of the copied and exported data.
Recorded video shall have camera number, date/time and location stamp on the video. The recorder
shall support recorded video search based on camera number, time/date, bookmarking and alarms.
The export of user selected video to external storage medium such as CD/DVD/USB, etc. shall be
supported. Export of video shall not alter the original recording. The exported video or a single
image shall be complete with video source identifiers and time and date stamp. The playback
software to manage and control the exported video on any standard computer shall be automatically
included with the exported video. Exported video shall be in its native format with watermarking.
All security systems including CCTV, Intrusion Detection System, Access Control System, etc shall
be time synchronized. Time and Date information on the recorders shall be checked regularly for
accuracy and shall be synchronized automatically.
Page 7 of 29
On request from Abu Dhabi Police / Abu Dhabi Education Council (ADEC) , the contractor shall
provide video recording or still images of any camera view either as a soft or a hard copy in 6 "x 4"
format.
2.1.5 Lighting:
Well maintained balanced lighting shall be available at areas within the camera's field of view.
Following site conditions shall be the key elements that drive the selection of camera, location and
type additional illumination.
• Backlighting
• Glare caused by excessive bright light falling on camera lens
• Poor level of lighting or no lighting
The lighting in the cameras field of view shall enable the camera to give acceptable picture under all
environmental and working conditions. The maximum to minimum illumination ratio available in the
cameras field of view shall be better than 4:1. Cameras sensitivity and spectral response shall
match the lighting source spectrum. Additional lighting shall be considered where camera picture
quality is impaired due to the existing lighting conditions. The selection and positioning of visible or
non-visible lighting shall meet the safety requirements that prevent eye damage. Light source shall
be away from the camera and near to the object or area that is monitored by the camera. IR
illuminators shall be provided for locations were lighting cannot be maintained.
2.1.6 Transmission:
The bidder shall implement video transmission system based on the CCTV system designed for the
facility. IP network shall be used for CCTV application.
The following shall be considered as a minimum for transmission design:
• Network specialist shall be consulted for IP video network design

• The transmission network design shall be able to deliver video with minimum delay, loss
and jitter
• Network redundancy shall include dual up links from edge switches routed through different
routes to dual redundant core switches. Core switches shall be located at different locations
and shall be linked, if required.
• All Switches shall have 1+1 redundant power supply and cooling fans.
• The design shall provide end to end security, limiting unauthorized access to the system
• Immune to interference from external sources
• Maintain source image quality
• Latency shall be minimal and in line with the manufacture recommended limits
• The bandwidth requirement as recommended by the manufacturer shall be available at all
times
Page 8 of 29
• Shared transmission infrastructure is not recommended, unless the data security and
recommended
• Performance of the CCTV system is guaranteed, irrespective of the performance and load
of other systems on the shared network.
2.1.7 Intrusion Detection System:
For Schools, the IDS may not be required since the assigned security personal would be available to
attend the alerts from the CCTV Monitoring System. In case required, they shall contact ADEC for
the necessary Requirements, which are approved by Abu Dhabi Police.
2.1.8 CCTV Installation requirements:
Cameras shall be installed in protective enclosures at locations and heights not easily accessible.
Enclosures shall be rated to prevent ingress of dust, dirt, moisture and the likes that could affect the
operation of the camera. Vandal proof housings shall be used for cameras installed at heights
accessible to people. Outdoor camera enclosures shall be minimum IP65 rated with sun shroud.
CCTV equipments shall be installed in lockable racks/cabinets in secure risers/rooms. Equipments
installed outdoor, shall be rated for use in extreme UAE weather conditions. Properly rated outdoor
enclosure shall be provided to house field power and transmission equipments. Outdoor enclosure
shall be designed with sun shade and suitable cooling mechanism. Camera locations shall satisfy
the recommended observation criteria defined for that camera. Selection of camera location shall
also consider factors such as lighting conditions, seasonal foliage obstructions, temporary or
permanent man made obstructions; etc. Permissions from Abu Dhabi Police or other competent
authority is required for installation of Covert/camouflaged cameras and outdoor cameras that may
potentially breach the privacy of the neighboring property.
2.1.9 Power:
CCTV equipments including cameras and Servers shall be on essential supply with an additional
UPS backup of minimum 15 minutes. 15 minutes backup is based on the condition that the
generator will start within 10 minutes of the mains failure.
For locations where the generator start up cannot be guaranteed or with no generator, a UPSwith
minimum 2 hours backup shall be provided.
Security systems shall be designed for 24/7 operation, in case of power failure, security systems
shall restart automatically on restoration of power without human interaction.
If power outlets and power supplies are required near field devices, they shall be mounted in fully
enclosed enclosures at heights not accessible to general public. External exposed wall mounted
power outlets and/or power supplies are not acceptable. Cameras lightings shall be on
generator/essential power.
2.1.10 Maintenance
Respective security system supplier shall have either trained maintenance staffs or have a formal
maintenance contract with companies specialized in security systems maintenance.
Page 9 of 29
The maintenance contract shall include both on-call and preventive maintenance. On call response
time shall not exceed 2 hours. A clearly defined preventive maintenance schedule shall be followed
and maintenance reports shall be maintained at all times.
Routine performance checks of the security system shall be the responsibility of the respective
school. A maintenance register shall be maintained to register all security equipment failure, with
details on date & time of failure, type of failure, action taken, date of certification, etc. All failures and
intentional stoppage of the security system shall be reported to concerned government authorities in
writing.
Maintenance report, contract and register shall be made available to concerned government
authorities on request.
Quarterly maintenance shall include the following as minimum:
• Inspection and confirmation on correct operation of all CCTV equipments including time
synchronization of various security equipment, recording and storage
• Periodic full system tests to evaluate performance and configuration
• Inspection of field devices and cleaning of cameras, illuminators, etc.
• Rectification and/or reporting of site conditions that may affect the original intended performance or
purpose of the camera.
2.1.11 Documentation:
Respective contractor shall deliver the following documents on project hand over to ADEC and a
copy should be kept in the school to be made available to government authorities on request.
• Maintenance contract
• Trade license
• As Built Drawings
• Maintenance Manuals
• Operational Manuals
• List of people/offices having access to live and recorded video
• Risk assessment report
Control room shall have laminated site plan with camera icons and identification numbers.
2.1.12 Training:
Operators shall be trained for normal day to day operation of the CCTV system and for event
response. ADEC nominate technical staff, shall be formally trained on the system installed at the
facility, to perform system health check, review video recording and export it to external media
(CD/DVD/USB flash), etc. if required.
Page 10 of 29
2.1.13 Signage:
Advisory CCTV signage shall be erected in locations that make all people entering the facility are
aware that a CCTV system is in operation The signage shall clearly state "CCTV Cameras in
operation" in both English and Arabic with a picture/icon of a camera.
2.1.14 General CCTV Distribution locations:
The locations, observation criteria and surveillance requirements listed below shall be covered
initially by cameras additional CCTV requirements will be based on the risk assessment of the team
based on the past experience and lessons learned..
Reference: Abu Dhabi Police Guidelines
Page 11 of 29
S/N Location Observation Surveillance Requirements

Criteria
1 Student Pick up & Drop off Recognize Vehicle Number Plate, type and color of vehicle,
passenger and overview of surrounding area.
Fixed cameras
PTZ cameras required for general surveillance
2 Landscape Detect Landscape cameras shall cover the school

perimeter.
3 Main Entrance & Lobby
a Main entrance Identify Both entry and exit view Fixed cameras(WDR
& IR)
b Reception lobbies Recognize Fixed cameras and PTZ cameras for general
surveillance
c Cashier Identify Front view of the customer and transaction.

Complete view of the counter with no dead
zones. - Fixed cameras
4 Other Building Access

points
a Access points to all school Recognize Entry & Exit view - Fixed cameras(WDR & IR)
buildings
5 Elevator Lobbies
a Elevator lobbies in BOH, FOH Recognize People entering and exiting elevators – Fixed
and Car park where entry & exit cameras
from building is possible
6 Circulation Corridor
a Circulation corridor on all floors Recognize Fixed cameras
7 Emergency Exit
a Emergency exits on all school Identify Entry or exit view based on the direction of
buildings where entry & exit emergency exit Fixed cameras(WDR & IR)
from building is possible
Page 12 of 29
S/N Location Observation Surveillance Requirements

Criteria
8 Staircases
a Staircase on all floors Recognize
9 Canteen
a All canteen entries Recognize Fixed cameras
b Kitchen entry/exits Recognize Fixed cameras(WDR & IR)
c Canteen Dining Area PTZ camera for general surveillance
d Food delivery and storage areas Recognize Entry View - Fixed cameras
e Cashier Recognize Fixed camera
10 Chemical Labs Recognize
11 Auditoriums/Ground / Play Recognize
areas / Sports Hall
/Swimming Pool
12 Entrances to Janitor room/ Recognize

Wash rooms / Stores
13 Inside school buses Recognize Minimum 3 fixed camera (WDR & IR) to
cover the whole bus seating area. All video
shall be recorded at 4 CIF/6.25 FPS
14 All outdoor cameras Shall be with IR illuminator (Min.30

Meter)
Page 13 of 29
2.2 Technical Requirements as per Abu Dhabi Monitoring & Control Center
(MCC)
2.2.1 General
In order to increase the security and safety of UAE, the MCC is requesting all the Educational
Institutions and its Transport in the Emirates of Abu Dhabi to enhance their CCTV systems in order
to meet the operational and technical requirements and to integrate them with the existing systems
(If required).
This is the technical requirements provided by Monitoring and Control Center, in case if they require
the schools to be connected to them for on-demand monitoring.
2.2.2 Technical Requirements
The ADEC Schools shall meet all the technical requirements mentioned below while designing and
implementing the system.
2.2.2.1 Cameras/Encoders
• IP Cameras/Encoders shall be compliant with H.264 base encoding profile.
• Each camera/encoder channel must be configurable with single dedicated IP address.
• IP cameras/encoders must support security features like HTIPS and 802.1x standards.
• The encoder/ IP camera shall be able to automatically start streaming according to last
known configuration when it is restarted/reset/rebooted.
• Cameras must support resolution from CIF to 4CIF/HD.
• HD quality day/night cameras with WDR above 120db and with backlight compensation
should be required for the main areas like Main Reception/Front Desk, main Lobby, main
entrance, drop-off area, Parking entrances/Exits, Kitchen main entrance door and CCTV
monitoring room entrance.
• I-Frame rate shall be at least one I-Frame once in every 1-4 seconds.
• FPS shall be selectable from 12 - 30 frames per second to allow proper video analytics of
the stream.
• Camera/Encoder streams shall be streamed as Transport RTP/UDP.
• Cameras/Encoders/VMS must support multicast streaming and the multicast addresses
will be defined by the MCC.
• IP cameras/Encoders shall not require having a heartbeat sent to video management
system.
• IP cameras/Encoders must support stamping on the live stream with camera location ID,
date and time.
• IP cameras/Encoders shall be synchronized to GPS time (NTP or similar based).
Page 14 of 29
2.2.2.2 Video Management System

• The VMS must support failsafe mode and by failsafe, the CCTV system must be equipped
with fail over servers and in case if any NVR fails then VMS must be capable for automatic
switch over of configuration from failed NVR to standby NVR. Once the failed NVR comes
online then the configuration should switch back over automatically. All these switch over
must be without any loss in live monitoring and recording of cameras associated to that
particular NVR.
 VMS must support Multicast streaming and external connection by a defined ICD (Interface
Control Document).
• VMS must allow connection to other systems through an IP based WAN or LAN.
• The VMS shall support providing a list of connected cameras to an external interface.
• The system shall support parallel REALTIME transition and transition of recorded replay.
• The VMS shall have the ability to stream in REALTIME the video of selected cameras/a
group of cameras/the whole cameras configured to VMS.
• The VMS shall have the ability to stream RECORDED channels of selected cameras/a
group of cameras/the whole cameras configured to VMS.
 The system shall allow selection of the required cameras to be transmitted based on the
camera ID (Name, Identification ....)
• The system shall allow selection of the required cameras to be transmitted based on a
defined time period (from [date], [hour], [min], to from [date], [hour], [min])
• The system shall include the video metadata of the cameras in the video transmission:
1. Location
2. Time stamp
3. Other recorded information
• The Local CCTV system shall be synchronized to GPS time (NTP or similar based).
• The broadcast process shall maintain the native cameras performance in domains of
resolution, frame rate, colored / B&W).
• The VMS vendors support for at least 3 years from the system commissioning, or,
upgrading the system to the latest supported VMS version by the vendor.
• The VMS system vendor shall use a standard tool for replay of the video, or shall provide
the replay tool with its ICD.
• The Vendor/MCC shall supply the lCD, and MCC will determine whether it complies with
the OA. It if complies, MCC will approve it.
• The VMS shall support standard compression formatH.264/MPEG-4 for the broadcast
video or lossless conversion to a standard compression format.
 The VMS should stream the video in real time and recorded, in a standard non encrypted
RTP/UDPprotocol.
Page 15 of 29
2.2.2.3 Servers
 The servers must be equipped with dual processors, dual power supplies and minimum
1Gbps dual communication Uplinks to network without any single point of failure.
 The servers designed must support failsafe by providing redundant/fail over servers
for recording and management.
 The CPU load of servers must not exceed an average of 70%.
2.2.2.4 Storage Units
 The storage units must be equipped with dual processors/controllers, dual power supplies
and dual network uplinks to NAS/SAN switches without any single point of failure.
 The recording system should be a unified NAS/SAN with minimum RAID5 or above
configured.
 The School is required to record on their DVRs/NVR's and to retain these recordings for a
defined period listed by the MCC.
 The hard disks required for recording must be enterprise level one with minimum 7200
rpm.
2.2.2.5 Alarm Logs

The System is required to keep a detailed log file and to send alerts in the following events:
• Whenever the system dedicated cabinet for integration is opened (by means of a system
cabinet tampering switch- an HW switch that indicate whenever the cabinet is Opened or Closed)
• Loss of system communication

• Loss of camera signal
• System power down
The system logs should be available in a single log file for a period 90 days during MCCs inspection.
2.3 Specifications &Scope of Services

This section of specifications and scope of services suggested by Abu Dhabi Education council is to
provide the ADEC School with some recommendations and designs on the CCTV deployment.
The scope of the services required can be summarized as follows:
1. Overall design, procurement, supply, installation, testing and commissioning and

maintenance of “Turn-Key” IP-Based Digital Security Surveillance System (CCTV) as
mentioned in the Requirements
2. Design, configuration, graphics, detailed engineering and development, preparation of loop
drawings, shop drawings, updated CAD layouts and data sheets should be provided to the
respective schools
Page 16 of 29
3. Supply of all specialist equipment or system specific tools required to operate and maintain
the system
4. Coordination with the respective school’s on-site personnel for the design and
implementation of the solutions
5. Project management as per the PMO Requirements
6. Training for School staff (Technical and end users)
7. Warranty and support services shall be for 3 Years
8. The bidder should note that, the CCTV Cameras should cover the Corridors, Open spaces/
Grounds / Play-areas, Auditoriums, Sports Halls, Cafeterias, any hidden areas, School
Entrances & Exits, Stairs Entry/Exits, Schools gates etc,
9. The bidder shall configure the required grid view on the school principal / Vice-principal /
security guard’s workstations and provides required trainings along with the quick reference
manuals.
10. All the Cameras should be protected from unauthorized access on the network and should
be accessible only through proper credentials. All the unnecessary services should be
stopped as per General ICTs Security Requirements on both the cameras and the related
servers.
11. As part of the Site-Survey, the bidder shall update and submit CAD diagrams with Camera
location and the respective bandwidth calculation reports.
12. The NVR Server with Internal Storage support for up to minimum of at least 20TB (Internal)
and it should be rack mountable and mounted on the respective school’s ICT specified rack
units on MDF only. No other accessories will be allowed to be kept outside without proper
mounting panels. Bidder should consider avoiding additional separate SAN Storage servers.
13. The Retention period of the CCTV footage should be 6 months in 8 - 15 fps.
The security system for ADEC Schools shall be user friendly and in harmony with the environment
of the school buildings. It is imperative that the field devices such as CCTV cameras blend with the
interior design of the building blocks. CCTV Camera Coverage is required for critical areas,
entrances, exits to monitor & secure the school building. Bidder shall evaluate with optimized count
and type of cameras based on site inspection for every school.
The buildings will require an Integrated Security System that is integrated with other third party
systems (BMS, Access Control etc) in future. The security systems design shall enable the security
of the building to be monitored within the Security Control Room and various Security Monitoring
Stations.
CCTV system shall enable continuous monitoring of dedicated areas, considered necessary for
safety and operational needs. The system must have the capability of local and remote monitoring.
All cameras must be IP based, some are day/night or Infrared type, high-resolution or better. Where
applicable, cameras shall be equipped with pan, tilt and zoom, if required. It should be easy to
configure the user interfaces with priority and restriction to access camera functions and selections.
Transmission shall be IP based and the system shall be interfaced / integrated to the main server /
streamer
Page 17 of 29
This shall include the following:
 IP Surveillance camera -Indoor

 IP Surveillance camera -Outdoor
 Camera housings, Junction boxes, Camera poles etc
 Network Video recorders - NVR
 Video management Software - VMS
 Storage servers with RAID5
 IP Spot Monitor display or any equivalent solution
 All licenses and software required for the turnkey solution
 All accessories related to the solution
 Any passive cabling &civil works (if required)
2.3.1 IP Surveillance camera –Indoor IP Camera
The intent of this section is to specify the minimum Indoor IP Camera with embedded IR.
General specifications:
A. Interior cameras installed in areas with suspended ceiling, fixed tile or dropped grid shall be
provided in tamperproof dome enclosure with a protection class of IP66 mounted in the
ceiling. Additional tile or grid supports shall be provided to assure a solid installation. The
ceiling enclosure shall be fastened by a safety wire(s) attached to a secure building
structure that will help prevent accidental or unauthorized removal.
B. External cables shall be fully enclosed in flexible protective armor, from the camera mount
and enclosure back box to wall or ceiling mounted junction boxes.
C. Interior cameras installed in areas without suspended ceilings (or where a ceiling mount
would not be appropriate) shall be mounted with ¾” rigid pipe.
D. All external cables shall be fully enclosed in flexible protective armor or electrical conduit,
from the camera mount and enclosure back box to wall or ceiling mounted junction boxes.
All cable must be run by CAT6.
E. Camera wall mount shall be securely fastened to the wall with suitable anchors that shall
support the total camera structure without causing damage to the wall surface.
The camera shall meet the following minimum performance standards:
1. The system shall provide high-resolution, real-time video images, encapsulated in Internet
Protocol (IP) packets and presented through a 10/100BASE-T RJ-45 Ethernet network
connections.
2. The system shall provide dual video streams where each video stream can be configured
with individual resolution, quality, and frame rate settings.
3. The system shall provide options for constant bit rate (CBR) or variable bit rate (VBR) with
ceiling.
4. The system shall be capable of detecting activity within a pre-defined area of the image and
issuing notifications as a result.
5. The system shall support the following protocols: Dynamic Host Control Protocol (DHCP),
Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), Network Time Protocol (NTP),
Real-Time Transport Protocol (RTP), Real-Time Streaming Protocol (RTSP), Simple Mail
Transfer Protocol (SMTP), Secure Sockets Layer/Transport Layer Security (SSL/TLS),
Transmission Control Protocol/Internet Protocol (TCP/IP), Secure Real-Time Transport
Protocol (SRTP), Cisco Discovery Protocol, Bonjour, Simple Network Management Protocol
(SNMP), and Secure Shell (SSH)
Page 18 of 29
6. The system shall also support Cisco Discovery Protocol (CDP),Bonjour Zero-Configuration
discovery or equivalent industry standard protocol.
7. The system shall provide quality of service (QoS) tagging based on IEEE 802.1p and
DiffServ standards.
8. The system is optionally preferred to support Micro SD local storage. In case of NVR failure,
the Camera shall record it in the local storage.
9. Image control features shall include Automatic white balance (AWB), automatic gain control
(AGC), automatic exposure shutter (AES) ), and auto/manual iris
10. The system shall be capable of receiving firmware upgrades over the IP network.
11. The system shall provide one (1) alarm inputs and one (1) output, logic level programmable
or any other feature satisfying this requirement shall be considered.
12. System software shall allow configuration support for:
a. user definable detection areas
b. Time, date, and camera ID overlay
c. Selection of bit rate (constant or variable)
d. IP filtering: allowed or blocked addresses
13. IE 8.x or later browser configuration
14. The camera shall be able to be configured to synchronize its internal date and time to a
designated NTP server.
15. Access to the camera through the network shall be controlled by two user levels of
protection. Each level shall have its own configurable login credentials and provide
configurable privileges, which control access to camera features.
16. The camera shall provide a monochrome night mode operation. The camera shall provide
day/night functionality through an IR filter that automatically switches to night mode in low-
light scenes. This function shall be configurable to be manual, automatic, or scheduled
control.
17. The camera shall support Power over Ethernet (PoE) 802.3af, or through an optional
external power supply.
18. The network camera shall provide a Web client interface that can be used to view live and
recorded video, review and control relays and alarms, review and acknowledge events,
configure the gateway, and configure gateway users.
19. The network camera shall provide recording up to the following frame rates and resolutions
NTSC: 1280 X 960 @15fps and 1280 X 720 @30fps OR PAL: 1280 X 920 @12.5fps and
1280 X 720 @25fps or minimum of 1280 X 800 @ 30fps, 1280 X 720@ 30fps (720p)
20. The network camera shall communicate with the Microsoft®Internet Explorer®6.0 or higher
or any other web-browsers
21. Video from the IP camera shall be compatible with Microsoft Windows®systems.
22. The network camera specified shall be an industrial grade, color, full-featured, high-speed at
least 1.3 megapixel network camera. The product is designed to meet or exceed industrial
and surveillance applications requiring a low power, low luminosity, environment resistant,
rugged video camera with IP network capability. It must be IEEE 802.3af Power-over-
Ethernet ready.
23. The network camera shall meet or exceed the following design and performance
specifications:
24. The high-resolution color camera specified shall incorporate a 1/3” or minimum 1/4” 1.3
Megapixel image sensor and a mechanical ICR varifocal lens.
25. Minimum light requirement to produce an image shall be approximately 0.06 Lux @ 10 IRE:
0.24 lux @50IRE (Color mode: F1.2 @ 0.4 lux , Black and white mode: F1.2 @ 0.2 lux)
26. The camera shall provide an Auto Electronic Shutter (AES), 255 levels of sensitivity for
sharpness, saturation, brightness and contrast.
27. The cameras shall provide intelligent video. This includes Audio detection/Blur detection/ e-
PTZ/ Mirror/ Flip/ System log/ Snapshot/ CBR/VBR.
28. The manufacturer shall offer optional, licensable recording and playback software that
allows images to be recorded to an external server.
Page 19 of 29
29. Images may be stored at a fixed periodic record rate and/or when triggered by motion
and/or external input. Playback shall allow all images recorded to be viewed forward or
backward in time with the licensable recording and playback software.
30. The camera shall record images as H.264, MPEG4 or Motion JPEG.
31. The camera shall provide integrated support for TCP/IP, UDP, HTTP, FTP, DNS, DHCP,
NTP, RTP, RTSP, ICMP, uPNP or any equivalent automatic discovery protocol.
32. The camera shall be capable of displaying streaming of an image simultaneously. Video
stream shall be selectable as main stream or sub stream.
33. No unique or proprietary client software shall be required for viewing or controlling the
camera.
34. General Camera Specs:
Image system
Image sensor: 1/3”or 1/4” 1.3 MP image sensor
Effective pixels: 1280 (H) X 1024 (V) or Minimum 1280 X 800
Image Compression Method: Triple Steaming: H.264/MPEG4/Motion JPEG
Image frame rate: up to 1280 X 960 @15fps, 1280 X 720 @30fps, 1280 x 800 @ 30
fps , 1280 x 720 @ 30 fps (720p)
35. Video port: BNC X1, 1.0Vp-p, 75Ω / RCA x 1
36. ENVIRONMENTAL SPECIFICATIONS

Operating temperature: -10ºC ~ +50ºC (14ºF ~ 122ºF)
Storage Temperature: -40° to +85° C
Humidity: 0% to 95% (non-condensing) @ 50° C
37. Warranty:
Three years labor and parts
38. Other specifications including;
a. Low light performance camera with auto iris

b. Wide Dynamic Range or any equivalent feature
c. Backlight compensation
d. Motion Detection
e. Anti-Vibration and Shock
f. Propose suitable Wide Angle Lens based on site (Maximum field of view is required)
g. Weather Proof and Vandal proof casing
h. IP rating is not less than IP 66
i. IR option if required
j. Encoder: H.264 and MJPEG
k. Minimum Illumination:
a) Color mode: F1.4 @ 0.4 lux
b) Black and white mode: F1.2 @ 0.2 lux
l. Resolution and Frame rate (H.264)
● 1280 x 800 @ 30 fps

● 1280 x 720 @ 30 fps (720p)
● 1024 x 576 @ 30 fps
● 960 x 544 @ 30 fps
● 720 x 480/576 @ 30/25fps
● 704 x 480/576 @ 30/25 fps (4CIF)
● 640 x 368 @ 30 fps
Page 20 of 29
● 352 x 240/288 @ 30/25 fps (CIF)
m. Resolution and Frame rate (MJPEG)
● 1280 x 800 @ 30 fps

● 1280 x 720 @ 30 fps (720p)
● 1024 x 576 @ 30 fps
● 960 x 544 @ 30 fps
● 720 x 480/576 @ 30/25 fps
● 704 x 480/576 @ 30/25 fps (4CIF)
● 640 x 368 @ 30 fps
● 352 x 240/288 @ 30/25 fps (CIF)
n. Video Streaming
a. Single-stream H.264 up to 1280 x 800 @ 30 fps

b. Dual-stream H.264 and MJPEG
c. H.264: Primary stream programmable up to 1280 x 800 @ 30 fps
d. MJPEG: Secondary stream programmable up to 1024 x 576 @15 fps
o. Status Indicators
a. Power
b. Ethernet activity
2.3.2 IP Surveillance camera –Indoor Speed Dome(If required)
In addition to the specification requirements mentioned under 2.2.1 (Indoor Camera), the indoor
speed dome shall meet the following minimum requirements;
 Indoor speed Dome (Pan /tilt/zoom)

 H.264, MPEG-4 and MJPEG Triple Codec Compression
 Motion Detection
 Wide Dynamic Range or any equivalent feature
 Low light performance camera with auto iris
 Backlight compensation
 Minimum 12X Optical Zoom
 Minimum 12X digital Zoom
 3D Privacy Masks for Private Area Protection
 ±0.1° preset accuracy
 Best available image sensor
 1 DI/DO for External Alarm and Sensor Device
 Propose suitable Lens based on site (Maximum field of view is required)
 Field of View (wide and telephoto zoom)
H : 54.1°(wide) , 2.9° (tele) Full HD mode or as required
 Camera Angle Adjustment, Minimum of
Pan: 360°
Tilt: +0° to –92°
Rotate: 350°
Page 21 of 29
2.3.3 IP Surveillance camera – [Outdoor Camera with Built-in IR]
The intent of this section is to specify the minimum criteria for Outdoor IP Camera with embedded
IR.
General specifications:
A. Exterior cameras installed in areas of the school with pendant wall mount shall be provided
in tamperproof dome enclosure with a protection class of at least IP66 or more. Additional
tile or grid supports shall be provided to assure a solid installation. The ceiling enclosure
shall be fastened by a safety wire(s) attached to a secure building structure that will help
prevent accidental or unauthorized removal.
B. External cables shall be fully enclosed in flexible protective armor,
C. All external cables shall be fully enclosed in flexible protective armor or electrical conduit,
from the camera mount and enclosure back box to wall or ceiling mounted junction boxes.
All cable must be run by Ethernet CAT6.
D. Camera pendant wall mount shall be securely fastened to the wall with suitable anchors that
shall support the total camera structure without causing damage to the wall surface.
The camera shall meet the following minimum performance standards:
1. The network camera shall provide a Web client interface that can be used to view
live and recorded video, review and control relays and alarms, review and
acknowledge events, configure the gateway, and configure gateway users.
2. The network camera shall provide recording up to the following frame rates and
resolutions NTSC: 1920 X 1080 @15fps and 1280 X 720 @30fps or PAL: 1920 X
1080 @12.5fps and 1280 X 720 @25fps or 1920 x 1080 @ 30 fps (1080p), 1280 x
720 @ 30 fps (720p) or equivalent.
3. The network camera shall communicate with the Microsoft® Internet Explorer®6.0
or higher or any other web browser. Video from the IP camera shall be compatible
with Microsoft Windows® systems.
4. The network camera specified shall be an industrial grade, color, full-featured, high-
speed 2.0 megapixel network camera. The product is designed to meet or exceed
industrial and surveillance applications requiring a low power, low luminosity,
environment resistant, rugged video camera with IP network capability. It is IEEE
802.3af Power-over-Ethernet ready and can also be powered directly. The camera
shall include a NTSC/PAL analog public view output.
5. The network camera shall meet or exceed the following design and performance
specifications:
a. The camera should have built-in IR.
b. The infrared distance shall be min 25 meters (80 feet), preferably 30
meters, based on the IR reflective properties of objects in view.
c. The high-resolution color camera specified shall incorporate a 1/3” or at
least 1/2.7” - 2 Megapixel image sensor and a mechanical ICR varifocal
lens.
Page 22 of 29
d. Minimum light requirement to produce an image shall be approximately

0.08 Lux @ 10 IRE or Color mode: F1.2 @ 0.4 lux / Black and white mode:
F1.2 @ 0.2 lux or equivalent.
e. The camera shall provide an Auto Electronic Shutter (AES), multiple levels
of sensitivity for sharpness, saturation, brightness and contrast and
preferably few levels of WDR sensitivity.
f. The cameras shall provide intelligent video. This includes Audio
detection/Blur detection/ PTZ or any equivalent industry standards.
g. The camera shall support Micro SD/Micro SDHC Card up to 32GB. SD card
shall be able to store video in case upstream connectivity to the storage
server fails. Overwrite feature shall be included.
h. The camera shall support two way audio
i. The manufacturer shall offer optional, licensable recording and playback
software that allows images to be recorded to an external server.
j. Images may be stored at a fixed periodic record rate and/or when triggered
by motion and/or external input. Playback shall allow all images recorded to
be viewed forward or backward in time with the licensable recording and
playback software.
k. The camera shall record images as H.264, MPEG4 or Motion JPEG.
l. The camera shall provide integrated support for TCP/IP, UDP, HTTP, FTP,
DNS, DHCP, NTP, RTP, RTSP, ICMP, uPNPor any equivalent automatic
discovery protocol.
m. The camera shall be capable of displaying streaming of an image
simultaneously. Video stream shall be selectable as main stream or sub
stream.
n. No unique or proprietary client software shall be required for viewing or
controlling the camera.
6. General Camera Specs:
a) Image system
a. Image sensor: 1/3” or Min 1/2.7” MP image sensor
b. Effective pixels: 1920 (H) X 1080 (V)
c. Image Compression Method: H.264/MPEG4/Motion JPEG
d. Image frame rate: up to 1920 X 1080 @30fps, 1280 X 720 @30fps
e. Video port: BNC X1, 1.0Vp-p, 75Ω / RCA x 1
f. Audio in & out port: 3.5mm Phone Jack x 2
g. Alarm Ports: 2 in / 1 out
b) Electric System
a. Sync system: Internal
b. Built in lens : f=3~9mm, F1.2 Megapixel
c. Electronic shutter: NTSC: 1/10000s to 1/3.75s PAL: 1/10000s to 1/3.125,
selectable or 1/5 to 1/32,000 sec or equivalent
d. SD card slot: Micro SD/SDHC up to 32 GB
c) Networking
a. Ethernet : 1 x 10/100 base-T Ethernet connection for LAN/WAN
b. Network port: RJ45
Page 23 of 29
c. Protocols: TCP/IP, UDP, HTTP, FTP, DNS, DHCP, NTP, RTP, RTSP,
ICMP, uPNP or any equivalent automatic discovery protocol
d) Power Specification:
a. Power requirement: DC 12V & AC 24V ± 10% / POE
b. Power connector: Screw less terminal block
c. Power consumption: MAX 5W
e) Infrared specifications
a. Infrared LED x24
b. Distance minimum ~25m (82ft) object-dependent
c. Wavelength 850nm
d. LED life over 10000 hours @ 50ºC/122ºF
f) ENVIRONMENTAL SPECIFICATIONS
a. Operating temperature: -20ºC ~ 50ºC (-40ºF ~ 122ºF)
b. Operating humidity: 10~90% RH
c. Storage temperature: -20ºC ~ 60ºC (-4ºF ~ 140ºF)
g) Physical Specification
a. Protection Class : Vandal Resistant, at least IP66 or more
h) CERTIFICATIONS
a. FCC, CE, RoHS
i) Warranty: Three- years labor and parts
2.3.4 IP Surveillance camera –Outdoor PTZ Camera (If required)
In addition to the specification requirements mentioned under 2.2.3 (Outdoor Camera), the outdoor
camera shall meet the following minimum requirements;
Other specifications including;
 Outdoor Dome/Box type

 Minimum SD or 1 Megapixel resolution with 25 fps
 H.264, MPEG-4 and MJPEG Triple Codec Compression
 Motion Detection
 Wide Dynamic Range or any equivalent feature
 Backlight compensation
 Anti-Vibration and Shock
 Best available image sensor
 Low light performance camera with auto iris
 Propose suitable Lens based on site (Maximum field of view is required)
 Weather Proof and Vandal proof casing
 IP rating is not less than IP 66, but IP 67 is preferred.
 Preferably Built-in 802.3af Compliant Power over Ethernet (PoE)
 3D Privacy Masks for Private Area Protection
 Minimum 18X Optical Zoom
 Minimum 10X digital Zoom
 360º Endless Pan, 200º Tilt
 ±0.1° preset accuracy
 1 DI/DO for External Alarm and Sensor Device
Page 24 of 29
2.3.5 Video Surveillance Management System:
The intent of this section is to specify the minimum criteria for the design, configuration, installation,
and administration of the Video Surveillance Management System and its solution modules.
The Video Surveillance Management System is a platform solution optimized for applications to
view, store, and manage real-time and recorded video in a networked environment. The system
uses an open suite of URL-based programmatic interfaces to communicate with applications. The
Video Surveillance Management System provides a highly scalable and reliable platform to enable
customized, network-based surveillance applications.
The system shall manage storage of real-time video at any specified frame rate, duration, and
physical location on the network. The system shall provide flexible archiving capability in terms of
frame rate, duration, and location and shall utilize dynamic file allocation to ensure that the full
duration of the selected video stream will be recorded, regardless of lighting condition, motion, or
scene detail. It shall support access to the archived video, to seek to any point in the archive, to set
the pre and post time, and to loop that segment of the archive. The system will allow for redundant
multi-site video storage. The system shall provide a Management Console that shows the status of
CPU, Memory, Disk Usage, and traffic analysis. The system shall provide for automated discovery
and configuration of endpoints. The system shall provide for integration with other software
applications through an open and published Application Programming Interface (API) and shall
provide integration of any 3rd party IP camera in the market. Such applications shall include, but not
be limited to, access control, video analytics, and other alarms and sensor inputs. The system
analytics shall also be customized by adding more feature based on the Schools demand in the
future.The system shall be capable of running on a single physical server or distributed across the
network, scaling to handle thousands of cameras and users. The system shall provide for or have
the capability of interoperating with the functional modules providing the capability for multiple web-
based display consoles to configure, manage, display, and control video throughout the IP network;
multiple options to store video and audio; virtual matrix switching; client PC viewing; and, remote
encoding and storage.
The Video Management System (VMS) software shall have features for viewing live and recorded
video from IP cameras and video encoders connected to the local and wide area network. The VMS
software shall have a Client-Server based architecture that can be configured for large multi-site and
multiple server installations. Multiple client workstations shall be capable of simultaneously viewing
live and/or recorded video from a single or multiple servers. Multiple servers shall also be able to
simultaneously provide live and/or recorded video to a single or multiple workstation(s).
2.3.6 NVR and Storage Specifications:
The intent of this section is to specify the minimum criteria for the design, configuration, installation,
and administration of the NVR and its solution modules.
Minimum NVR Specifications:
The Servers should be designed to meet the performance and storage requirements of enterprise
video surveillance deployments. Intel® processors, multi-NICs, and hardware with a RAID5* option
are available. Front-accessible swappable hard drive storage ensures always-on recording, and
Page 25 of 29
provides for future storage expandability. Enterprise-class hard drives ensure maximum reliability
and speed.
All Servers should come with the operating system and the VMS application pre-configured on the
drive, for plug-and-play operation. Servers should be scalable and must have the option to add
storage with external storage devices.
The servers must be equipped with dual processors, dual power supplies and minimum 1 Gbps dual
communication Uplinks to network without any single point of failure. The servers designed must
support failsafe by providing redundant/fail over servers for recording and management. The CPU
load of servers must not exceed an average of 70%.
1. Recording Resolutions NTSC PAL

1. 320 x 240 320 x 288
2. 720 x 240 720 x 288
3. 720 x 480 720 x 576

4. 1280 x 1024(1.3M)
5. 1600 x 1200(2M)
6. 1920 x 1200(2.2M)
7. 2040 x 1530(3.0M)
8. 2560 x 1920(5.0M)
2. Recording Modes Continuous, motion detection, human detection, alarm
activation, or scheduled recording
3. Internal Storage Hard drive from 1TB to 24TB (w/OS)
4. Compression MJPEG, MPEG4, or H.264
5. VGA Outputs Built-in 1 VGA (DB15) and HDMI
6. Password Protection Multiple levels of protection for setup functions, operation,
and system exiting. Each user shall have user-assignable
features
7. Motion Detection Built-in motion detection for each camera to start recording
or to increase the recording rate of the system
8. Motion Areas Selectable detection area and sensitivity for each camera.
9. Languages English and Arabic
10. Alarm/Motion Activation Alarm input will start the unit recording or if already
recording, can increase the recording frame rate.
11. Pre-Alarm/Motion Recording records images for up to 10 seconds before the
alarm sensor is activated and/or up to 30 minutes after
Page 26 of 29
(optional).
12. Bandwidth Throttling Network throttling of transmitted video from 64 KB to
unlimited
13. Alarm History Log Available through a query
14. Remote Control Full remote control operation of pan, tilt, and zoom (PTZ)
functions through TCP/IP network with PC or Web client.
15.LAN/WAN Connection Software and hardware are provided for viewing and
controlling NVR over the network, including an exclusive
remote-to-server connection feature.
16. Video Quality High-quality video recording of at least 720x480; supports
NTSC or PAL video.
17. Backup A scheduled backup management system is provided to
back up data to external devices that are mapped to the
server (CD, NAS or other storage devices) without
interrupting hard disk recording. Backup can also be done
on a schedule basis according to scheduling from web
portal.
18. Hard Disk Drives 24TB storage capability or archiving on external fiber
channel connected storage arrays
19. Programming On-screen programming and operation through a keyboard
or mouse.
20. Digital Zoom Digital zoom of the image on the screen during live and
playback modes.
21. Authentication Software is provided for image verification of each image
recorded.
22. Help system Provides a built-in help system containing the information
manuals needed for faster reference by the user, at both
the server and remote client.
23. View Favorites Provides a mechanism to bookmark video events, name
them, and retrieve by name.
24. Digital Zoom Indicator Zoom functions in playback mode and provides a zoomed
indicator up to 32X, and then returns to original resolution.
25. Instant Playback Feature Provides the option of searching single or multiple cameras
on Live screen at different times within the current calendar
day (24 hour time period).
26. Video Loss Detection Video loss events are linked to alarms that can trigger a
relay and send an email notification.
27. ATM/POS COM PORT Data interface support for up to 8 ATM/POS/Card Access
Page 27 of 29
Communication devices per server.

28. ATM/POS TCP/IP Communication Data interface support for up to 16 ATM/POS devices per
server.
29. Audio Listen-in Allows client to listen to live or recorded events on one
system at a time.
30. Software Upgrades Upgrades are provided during warranty period at no
charge.
31. System Health Check Monitors and provides an error message if CPU
components or hard disk drive operating parameters
exceed their configured thresholds working in conjunction
with Central Management System.
32. IP camera interface Any IP manufacture in the market
33. Human and Object detection 16 channels of video analytics – monitoring human and
object activities.
2.3.7 Storage
The system shall be designed with 6 months video storage with below recording parameters and
must have extremely smooth and fast write streaming performance while eliminating video frame
loss; it should have the option to eliminate all the locking latency during multiple accesses. The
video storage severs must have the ability to eliminate file system fragments and multi- stream read-
head for fast and smooth read performance and drive self-healing. Bidders must provide GUI based
monitoring tool for performance monitoring to ensure QoS.
The storage units must be equipped with dual processors/controllers, dual power supplies and dual
network uplinks to NAS/SAN switches without any single point of failure. The recording system
should be a unified NAS/SAN with minimum RAID5 or above configured. The Source is required to
record on their DVRs/NVR's all the Source channels and to retain these recordings for a defined
period. (90 Days)
The System is required to keep a detailed log file and to send alerts in the following events:
 Whenever the system dedicated cabinet for integration is opened (by means of a system
cabinet tampering switch- an HW switch that indicate whenever the cabinet is Opened or
Closed)
 Loss of system communication
 Loss of camera signal
 System power down

The system logs should be available in a single log file for a period 90 days during MCCs inspection.
The hard disks required for recording must be enterprise level one with minimum 7200 rpm
Page 28 of 29
2.3.8 Pre-approved Manufacturers List:
Below is the list of manufacturers that are pre-approved for the different components of the project.
The Bidders should comply and respond only with these approved manufacturers.
Security Systems
 CCTV Equipment:
o Cisco
o I3 International
o Pelco
o Bosch
o Axis
o Sony
o Samsung
o Honeywell
o Any Other US-Canada / UK / Europe Brands
 NVR/VMS Solutions / Servers:

o Cisco
o I3 International
o Pelco
o Bosch
o Axis
o Sony
o Samsung
o Honeywell
o Any Other US-Canada / UK / Europe Brands
 Passive Components, Cables& connectors:

o 3M or Any Other US-Canada / UK / Europe famous Brands
Page 29 of 29
Information & Communication Technology (ICT) Division
Abu Dhabi Schools ICT Infrastructure
Passive Components – Design Specifications
October 2013
Version 1.1
Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Guidelines
Revision History
Number Date
Final version prepared for Abu Dhabi Schools Shueib Medani

1.0 2012-09-13
Program Yousef Alreyami
Reviewers
Hameed Jafar Sadiq Senior Network Engineer 2012-09-20 1.0
Shueib Medani IT Project Manager 2012-09-20 1.0
Lamis Al Shamisi IT Project Manager 2012-09-20 1.0
Badr Ali Hubais Senior Planning Specialist 2012-09-20 1.0
Approvals
ICT Operations Section

Khaled Hassan
Manager
ICT Support Section

Ali Awlaqi
Manager

Abu Dhabi Schools ICT Infrastructure - Passive Components – Design Specifications
Table of Contents
TABLE OF CONTENTS ................................................................................................................. 3
1 INTRODUCTION .................................................................................................................... 4
1.1 Purpose of Document........................................................................................................................... 4

1.2 Abbreviations and Acronyms................................................................................................................ 4
2 STAGES FOR ICT DRAWINGS PREPARATION/APPROVAL .............................................. 5
3 DATA OUTLET DESIGN SPECIFICATIONS.......................................................................... 6
4 IT ROOMS DESIGN SPECIFICATIONS ................................................................................. 7
4.1 MDF room layout .................................................................................................................................. 7

4.2 IDF room Layout ................................................................................................................................... 8
5 INTERACTIVE BOARDS/PROJECTORS SPECIFICATIONS .............................................. 10
6 ADDITIONAL SPECIFICATIONS FOR REFURBISHED SCHOOLS ONLY ......................... 11
6.1 Site Survey ......................................................................................................................................... 11
Page 3 of 11
1 INTRODUCTION
1.1 Purpose of Document

The purpose of this document is to provide a detailed scope, installation specifications to the
passive components for ICT Infrastructure in Abu Dhabi Public Schools.
1.2 Abbreviations and Acronyms

The following abbreviations and acronyms are used in this document:
ABBREVIATIONS / ACRONYMS DEFINITION
ADEC Abu Dhabi Education Council
BOQ Bill of Quantity
CAD Computer Aided Design
IT Information Technology
MDF Main Distribution Frame
IDF Intermediate Distribution Frame
IP Internet Protocol
WAP Wireless Access Protocol
FPR Finger Print Reader
Table 1: Abbreviations and Acronyms
Page 4 of 11
2 STAGES FOR ICT DRAWINGS PREPARATION/APPROVAL

The stages for implementing the complete solution for the passive components design outlined
below:
1. Consultant mark IT points in the design drawings as per the design Specifications.
2. IT Drawings review by ADEC.
3. IT drawings approval.
4. Tender.
Page 5 of 11
3 DATA OUTLET DESIGN SPECIFICATIONS

Refer to the Data Outlet Distribution Specifications Document
Page 6 of 11
4 IT ROOMS DESIGN SPECIFICATIONS

General Specifications:
1- Raised floor is not required in MDF room unless there is a necessity.
2- Glass windows are not recommended in all IT rooms.
3- Power sockets in MDF and IDF is 16amp industrial sockets while in ODF 13amp.
4- Dedicated AC unit is required in MDF while IDFs can be feed by dedicated AC units or the
cool fresh air.
5- UPS is required for the equipments in the MDF rack.
6- First IDF “IDF1” should be in the same MDF room “the second rack”
4.1 MDF room layout

The Main Distribution Frame (MDF) must adhere to the Specifications depicted in Figure 1 below.
Figure 1: MDF Room Layout Guideline
Page 7 of 11
4.2 IDF room Layout
The Intermediate Distribution Frame (IDF) must adhere to the Specifications depicted in Figure 2 below.
Figure 2: IDF Room Layout Guideline
Page 8 of 11
Figure 3: ODF room layout
Page 9 of 11
5 INTERACTIVE BOARDS/PROJECTORS SPECIFICATIONS

ADEC uses interactive white boards in the teaching environment in most of the class rooms in the
schools. In order to operate these boards contractor have to prepare the necessary cabling and
faceplates in class rooms and labs and do the necessary termination.
Interactive boards usually installed in the middle of the class rooms/labs, the cables and the other
connections that links the board with the computer at the teacher desk should be installed hidden
inside the wall “external trunking” is not allowed. At least 30mm or two 25mm conduits should be
prepared for the mentioned cables.
 Two face plates are required one at the back of the interactive board for the projector and
the other one near to the teacher desk.
 Single data point connect to the network is required at the back of the interactive board.
 Interactive board connections to the teachers PC are peer to peer connections.
Contractor should put in his consideration the USB cable limitation 5.4m.
ADEC also uses interactive projectors in some of it’s schools. The same practice for the
cable/cable trunks for interactive boards will be applied. “external trunking/exposed wires are not
allowed.
Page 10 of 11
6 ADDITIONAL SPECIFICATIONS FOR REFURBISHED SCHOOLS

ONLY
6.1 Site Survey

The site surveys will be conducted for all schools based on the list of schools provided by ADEC
Scope and Specifications for Survey

The scope and Specifications for the site survey activities is described below.
Note: The sequence and details of the tasks carried out during site survey are subject to change
during project implementation and shall be agreed between all stakeholders. Please refer to latest
SIP for survey process.
 Preparations of the site layout in AutoCAD format
 MDF/IDF Allocation
o Acquire measurements/dimensions of each MDF/IDF
o Passive contractor should avoid placing MDF/IDFs in admin offices, teacher rooms,
class room, kitchen, cafeteria, I.T lab and other labs without ADEC approval. If no other
dedicated rooms can be identified, Passive contractor will choose the most suitable
room and gain approval of the Principal; however in all scenarios Passive contractor will
submit an MDF/IDFs room layout highlighting the location of the cabinets for School
Principal/ADEC approval.
o If partitioning is required for MDF/IDFs, this will be highlighted in the consolidated
report.
o A no objection certificate (NOC) from principals on MDF/IDFs location will be submitted.
 Outlet Distribution
o Refer to the Data Outlet Distribution Specifications Document
Page 11 of 11
Passive Components – Data Outlet Distribution

Specifications
October 2013
Version 1.2
Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications & scope
of work
Revision History
Number Date
Final version prepared for Abu Dhabi Future Shueib Medani

1.0 2012-09-13
Schools Program – Phase 4 Yousef Alreyami
1.2 2013-10-02 Document title, Time & attendance Shueib Medani
Reviewers
Approvals

Khaled Hassan
Manager
ICT Support Section

Ali Awlaqi
Manager

Abu Dhabi Schools ICT Infrastructure - Passive Components – Data Outlet Distribution Specifications
Table of Contents
1 INTRODUCTION .................................................................................................................... 4

2 GENERAL GUIDELINES........................................................................................................ 5
3 CCTV OUTLETS INSTALLATION GUIDELINES ................................................................... 8
4 TIME ATTENDANCE/ACCESS CONTROL GUIDELINES ................................................... 10
Page 3 of 10
1 INTRODUCTION

The purpose of this document is to provide a detailed scope, installation guidelines to the passive
components for ICT Infrastructure in Abu Dhabi Public Schools.

Page 4 of 10
2 GENERAL GUIDELINES
 Outlet Distribution
o At any given point the distance between IDF and network point will not be more than 90
meters. Data outlet points exceeding 90 metres will be discussed with ADEC, especially
where it effects the functionality of the area. WAP devices over 90 metres from the IDF
will be reviewed between the contractor and Cisco.
o All Security rooms within a school that are more than 90 meters from the nearest IDF
will not be cabled for data outlets& WAP. Only those within 90 metre range can be
cabled.
o The outlet distribution specifications table to be implemented based on rooms usage
and not rooms naming since some of the naming are out of date.
o The Contractor will follow the outlet distribution specifications table during the site’s
implementation. Any variance in these guidelines will have to go through a change
request process.
o The contractor will identify the locations of all network points and provide the required
details in a consolidated report “Data outlet distribution report” to ADEC for approval
before starting the implementation phase.
o The outlets distribution per room will be based on ADEC specifications shows in “Table
2” below
Page 5 of 10
Table 2 below illustrates ADEC’s requirements of outlet distribution per room:

NO. OF DUAL
NO. OF SINGLE
TYPE OF ROOMS OUTLET / LOCATION OF POINTS / REMARKS
OUTLET / ROOM
ROOM
IT rooms Initial Escalation L3 Involvement
 MDF room Notification Path
 IDF 0 0
 ODF
Learning space
One Near teacher desk and in the back of the
Class room 2 1 class, the single point is for the interactive
board
SES room 0 8 one point for the interactive board
Science Lab 1 4
IT LAB 2 31 Dual point near to the teacher desk
Music Room 2 1 one single point for the interactive board
ART Lab 2 1 one single point for the interactive board
Library (LRC) 8 - 23 0 As per design and school Cycle
Speech Therapy 1 1 one single point for the interactive board
Administration Space
Principal office 2 0
Vice Principal office 2 0
Secretary room 2 0
Dual data point per seat (workstation )
1 per
Teachers office 1 One single point for MFP or scanner in the
workstation
office
Teachers workshop 2 0
Control room 1 As per seating capacity
Floor box under the meeting room and
Meeting room 2 0
connected to a decorated outlets on the table.
Supervisors room 2 As per seating capacity
Staff lounge 1 1 The single point for the LCD screen
Main Reception
Circulation Desk 2 0
Time Attendance (FPR) 0 4
LCD screen 0 1
Other Admin Space

Accountant office 2 0
Security room 0 1
1 point for
BMS room 0 Total number of points as per design
each device
Guard room 1 0
Storage Space
Store 0 0
Music equipments store 2 0
Science lab preparation room
Archive 1 0
Janitor 0 0
Page 6 of 10
No. of Dual No. of Single

Type of Rooms Location of points / Remarks
Outlet / Room outlet / room
Other Spaces
Prayer room 1 0 For telephone
One for telephone and the other for POS if
required
Cafeteria/Canteen 0 2
It will be place 1.5 meter high or where
telephone can be placed
It will be place 1.5 meter high or where
Kitchen 0 1
telephone can be placed
Pantry 0 1
Auditorium 2 0
Rehearsal room 0 1
Broadcasting room
Multipurpose Hall “sports
hall”
Electrical Room 2 0
As per design Distributed across the area
Breakout Areas 0 4
“main coverage it will be through WAP”
Social officer 2 0 Per seat (per station)
Parents Centre 1 0
Nursery Rooms/Kids play

2 0
area room inside the building
Clinic or any other similar
2 0 2 dual outlets Per station
room like first aid room etc
LV room 0 1
Electrical Room 2 0
MCC room 0 1 One single for each equipment
GSM room 1 0
Clinic Space
Doctor 2 0 Per seat (per station)
Nurse 2 0 Per seat (per station)
Sleeping area 0 1
WAP / CCTV
CCTV (Single) 0 1 1 single point for each POE camera
1 single point for each WAP point ( total
WAP (Single) 0 1 number will be defined by Cisco “after site
survey” )
Note : Considering the WAP's & IP-CCTV are single but in case the two points are within 1 meter of each other,
one dual outlet shall be provided
Table 2: Outlet Distribution Guideline
Page 7 of 10
3 CCTV OUTLETS INSTALLATION SPECIFICATIONS

The CCTV points marking will be as follow:
 All the entrances and exits should be covered with CCTV points.
 All public areas should be covered with CCTV points, and below are these location in more
details:
o Main entrance in the ground floor.
o Normal staircase (one CCTV in the first floor), as depicted below.
o Staircase located in open area between classes (one CCTV in the first floor and one
CCTV in the second floor), as depicted in the below snapshot .
o Auditorium
o Sports hall
o Open ground areas (playground, assembly, football, etc...)
o Exit points
o Cafeteria/canteen
o Play ground
o Gym
Page 8 of 10
 No CCTV outlets will be installed to monitor outside the school premises, and no CCTV
outlets will be installed inside any internal rooms (Classroom, Teacher’s room, toilets,
changing areas, etc).
Page 9 of 10
4 TIME ATTENDANCE/ACCESS CONTROL GUIDELINES

Data points for time attendance machines and access control system should be marked in the
drawings as per the following guidelines.
1. Height: The data outlet should be fitted within 1 meter of the location agreed with
ADEC. The FPR is fitted and made active by another vendor.
2. Drawings: The FPR outlet should be identified on the drawing with a unique number
e.g. FPR01, FPR02, etc. A normal single outlet symbol will do.
Time attendance machines should be located at accessible place in the reception not blocked by
furniture or any other fixtures.
Finger print and access control system distribution table
NO. OF NO. OF
DUAL SINGLE
TYPE OF ROOMS REMARKS
OUTLET / OUTLET /
ROOM ROOM
Time Attendance Initial Escalati L3 Involvement
Main reception / staff entrance (Schools) Notificatio
0 on Path
4
Main reception / staff entrance (KGs) n 0 2
Access control
MDF room 0 1
Security room “CCTV monitoring room” 0 1
Science Lab preparation room “store” 0 1
Examination control room 0 1
Table 3: Time attendance & access control Guidelines
Page 10 of 10
Passive Components – Specifications and

Installation scope
October 2013
Version 3.1.1
Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation Specifications
Revision History
Number Date

3.0 2012-09-13
Minor updates.
3.1 2012-10-10 Included list of approved manufacturers for Shueib Medani
passive components
Single run of multimode 6 core fibre optic cable
3.11 04-03-2013 changed to two run of fibre optic cable (6 or 12 Shueib Medani
core multimode)
3.11.1 02-10-2013 Document title,
Reviewers
Approvals

Khaled Hassan
Manager
ICT Support Section

Ali Awlaqi
Manager

Abu Dhabi Schools ICT Infrastructure - Passive Components – Specifications and Installation scope
Page 3 of 29
Table of Contents
1 INTRODUCTION .................................................................................................................... 5

2 STAGES FOR STRUCTURED CABLING PROJECT............................................................. 6
3 PASSIVE COMPONENTS DESIGN ....................................................................................... 7
3.1 Data Outlet Distribution Specifications ................................................................................................. 7

4 INSTALLATION SPECIFICATIONS ....................................................................................... 8
4.1 Network Points Specifications .............................................................................................................. 8

4.2 Cabling Specifications .......................................................................................................................... 9
4.3 MDF Cabinet Installation Guide.......................................................................................................... 13
4.4 Patch Panel Specifications ................................................................................................................. 14
4.5 General Cabinet Installation Specifications ........................................................................................ 16
4.6 Cabling System Labelling Specifications............................................................................................ 21
4.7 CCTV Installation Specifications ........................................................................................................ 21
4.8 Time attendance (FPR) Outlets Installation Specifications ................................................................ 21
4.9 Interactive Boards/projectors Installation Specifications .................................................................... 22
5 EQUIPMENT DETAILS AND SPECIFICATIONS ................................................................. 23
5.1 Face Plates......................................................................................................................................... 23

5.2 Cabling................................................................................................................................................ 24
5.3 Patch panel......................................................................................................................................... 24
5.4 Racks.................................................................................................................................................. 25
6 ASSUMPTIONS AND ADEC RESPONSIBILITIES .............................................................. 27
7 TESTING PROCESS ............................................................................................................ 28
8 HANDOVER PROCESS ....................................................................................................... 29
Page 4 of 29
1 INTRODUCTION


Page 5 of 29
2 STAGES FOR STRUCTURED CABLING PROJECT

The stages for implementing the complete solution for the passive components are outlined below:
1. Implementation (pulling, termination and testing).
2. IT documents
o Data outlet distribution sheet.
o Data outlets test report.
o Port allocation sheet.
o Patch panel arrangement diagram.
3. As-Built Drawings/documents.
4. Handover and acceptance.
Page 6 of 29
3 PASSIVE COMPONENTS DESIGN

The design of passive component solution will be based on consultant design plans which it will
include:
1. Site Floor Plan showing the schools layout, total number and placement of data points,
CCTV, Finger print, interactive boards/projectors and WAP points (to be done by Cisco).
2. MDF Rooms Layout showing the proposed location of cabinets within that room.
3. Site MDF/IDFs Physical Network Setup showing the physical layout of the cabinets,
positioning of patch panels and patch guides within the racks.
3.1 Data Outlet Distribution Specifications

Refer to the Data Outlet Distribution Specifications
Page 7 of 29
4 INSTALLATION SPECIFICATIONS
The installation phase is consisting of the following general and high level steps:
 Installation of MDF/IDF racks.
 Installation of patch panels and patch guides
 Cat6 and fibre optic cable pulling
 Cat6 and fibre optic cable termination
 Cat6 and fibre optic cable testing.
 Labelling of MDF/IDF racks, cat6 patch panels, fibre patch panel, and patch cords
 Installation of patch guides/ cable managers (Horizontal/Vertical**) for Cisco equipments.
The approved site layouts and consolidated report will serve as the baseline for any school
installation.
** Contractor should provide horizontal cable manager for the calculated number of switches.
4.1 Network Points Specifications

 The standard height for all the network points other than IT Labs, CCTV and wireless will be
30 cm above floor level.
 Single outlet will be installed for each WAP.
 Single outlet will be installed for each CCTV point.
 If the location of WAP and CCTV are within one meter, then one dual outlet shall be provided
instead of two singles.
 If the Ceiling of the facility where WAP will be installed is too high or there is a baffle, WAP
should be installed in the nearest wall.
 The sports hall will not have any outlets, and it will only be covered by WAP as per ADEC
specifications. The theatre/auditorium will have 2 dual outlets. However, in case the sport hall
and the theatre/auditorium are shared (considered one room), the Contractor will consider this
places theatre/auditorium, and 2 dual outlets will be provided behind the stage as per the
outlet distribution guideline table provided by ADEC.
 The maximum height of the outlets will be for the CCTV and Wireless and it will not exceed 5
meters.
Page 8 of 29
4.2 Cabling Specifications

 Cat6 cables will be grouped together based on their VLAN types, and each VLAN group of
cat6 cables will be terminated together to the patch panel. For example, ports 01 to 12 will be
for ADMIN and 13 to 42 for Teachers, etc. The below pictures depicts and explains this in
details:
Figure 1: Sample VLAN
Page 9 of 29
Figure 1 : sample VLAN illustration

 The following sequence should be followed when terminating the cat6 cables based on their
VLAN types, to the patch panel:
o Admin VLAN
o Teacher VLAN
o IT Lab VLAN
o Library VLAN
o Access Point VLAN
o Security VLAN
o Facilities VLAN
 The exact route/length of cables can only be determined during the implementation phase.
Therefore, minor changes (5%) might be expected in the handover documents.
 The table below shows the patch cords details that will be provided to each site:
PATCH CORDS DETAILS
LENGTH USAGE COLOUR REMARKS
1 meter Patching inside the
As per assigned colour to
or cabinet based on the
each VLAN
2 meter required length
Patching the WAP or
1 meter White colour
CCTV to the cat6 outlet
Connecting the
1 meter
dedicated patch panel for
or As per VLAN type
WAP & CCTV to Cisco
2 meter
switch
3 meter End user Blue
Connecting the fibre
LC – LC based on
2 meter patch panel to Cisco Any
the patch panel type.
switch
Table 2: Patch Cords Details
 Total number of UTP (Category 6) patch cords to consider is 110% for device end patch cords
and 110% for the user end patch cords (including WAP and CCTV). This to be distributed
equally among different patch cords colours.
 Two run of 6 core Multimode fibre optic cable or 12 core multimode fibre optic cable will be
pulled between MDF and all IDFs to support 10-Gb in each site.
 The structured cabling system will meet Category 6 requirements in ISO/IEC 11801,
CENELEC EN 50173, and TIA/EIA 568B.
 Fibre Sleeves implementation shall follow standard Change Management process.
 A fibre tubing will be fixed around the FO cables going into the cabinets.
 A fibre tube will be fixed at the back of the vertical cable manager. This will be the route for
the fibre optic patch cords going from the fibre optic patch panel to the switches.
Page 10 of 29
 As per ADEC specifications, passive contractor will provide different colours of patch cords.
The details of these colours are mentioned in the VLAN type table below, the table also shows
the different room types assigned to each VLAN:
Page 11 of 29
VLAN TYPE TABLE

PATCH
VLAN ID VLAN NAME CORD ROOM TYPE
COLOR
100 Management VLAN Red N/A
Servers – (VLAN 11 – 15 for
10-15 Red N/A
Virtualization)
(1) Admin. Control-Manager
(2) Broadcasting
(3) Clinic or any other similar room like first
aid room etc
(4) Control Room
(5) Finance
(6) Kitchen
(7) Meeting Room
20 Admin Blue (8) Principal
(9) Reception
(10) Secretary
(11) Social Worker
(12) Store
(13) Vice-Principal
(14) Other Rooms (used by staff only ex:
Conference Room, Accountant)
(15) Time and Attendance Reader(FPR)
(1) Art room
(2) Cafeteria
(3) Classroom/s
(4) Field 1 & 2 Office
(5) Lead Adviser
(6) Music Room/s
(7) Nursery Rooms/Kids play area room inside
the building
(8) Other rooms (used by teachers and
21-25 Teachers Yellow
students. ex: Mosque, Play Area)
(9) Physical educational Office
(10) Resource room
(11) Staff Offices / Teacher Offices
(12) Supervisor's Office
(13) Social Club
(14) Science Laboratory-1
(15) Sports hall/Stadium
(16) Theatre/ Auditorium
30-35 IT Labs Green IT Lab
Security VLAN: CCTV, access
40 Orange
control
41 Facilities VLAN:LCP,BMS,CSP Black
50 Voice IT Labs
51 Voice Admin
52 Voice Teachers
53 Voice Library
60 School name-Staff (wireless)
70 School name-Student (wireless)
80 School name-Guest (wireless)
90 Library Yellow Library
110 Access Point Orange
999 Native
Table 3:VLAN Type
Page 12 of 29
4.3 MDF Cabinet Installation Guide

The IDF 42U cabinet(s) must be installed as depicted in the image(s) below.
Figure 2: IDF 42U Cabinet Layout Guide
Page 13 of 29
4.4 Patch Panel Specifications

 A single48 port patch panel will be dedicated for WAP and CCTV points.
 A single 48 port patch panel will be dedicated for FACILITIES devices
 Regardless of the number of patch panels used, the switches will always be fixed at the same
reserved place in the cabinets as follow:
Figure 3: Patch Panel Arrangement
o In the 42U cabinets, the reserved space for the switches resides from U 22 to U 30
and all passive components can utilize the remaining free space in the cabinet
starting from the top to the bottom.
o The below rack layout for 42U cabinets depicts the above:
Page 14 of 29
o In the 36U cabinets, the reserved space for the switches resides from U 16 to U 24
and all passive components can utilize the remaining free space in the cabinet
starting from the top to the bottom.
o The below rack layout for 36U cabinets depicts the above:
Figure 4 : Patch Panel arrangment
Page 15 of 29
Figure 5 : Patch Panel Arrangement
4.5 General Cabinet Installation Specifications

1. MDFs that also host IDF equipment must have separate cabinets for MDF equipment (Servers, Core
Switch, Router, Wireless LAN Controller), and IDF equipment (Access Switches).
2. No MDF equipment will be installed in the IDF cabinet.
3. No IDF equipment will be installed in the MDF cabinet.
4. All Fiber Optic patch panels will be 1U in height.
5. All Fiber Optic patch panels will be installed in the uppermost installation point in the cabinet below
the first horizontal cable manager (41U in 42U cabinet and 35U in 36U cabinet)
6. All Fiber Optic patch panels in the MDF will be 48 port panels
7. All Fiber Optic patch panels in the IDF will be 24 port panels
8. All Fiber Optic patch panels will be separated by a 1U horizontal cable manager
9. All Fiber patch panels will be used for a combination of splicing and termination of fiber-optic
building cable or outside plant (OSP) cables.
10. All Fiber patch panel front faceplates will accept standard simplex or duplex fiber-optic adapters to
provide flexibility.
11. All UTP patch panels will be 2U height
12. Maximum of three (3) UTP patch panels will be installed in the uppermost installation point in the
42U cabinet in the 38/39U position (below the Fiber patch panels and associated horizontal cable
management) and 35/36U position and 32/33U position.
Page 16 of 29
13. Additional UTP patch panels will be installed in the remaining cabinet space beneath the space
reserved for active components (22U to 30U), with 1U cable management between patch panels
14. Maximum of three (3) UTP patch panels will be installed in the uppermost installation point in the
36U cabinet in the 32/33U position (below the Fiber patch panels and associated horizontal cable
management) and 29/30U position and the 26/27U position.
15. Additional UTP patch panels will be installed in the remaining cabinet space beneath the space
reserved for active components (16U to 24U), with 1U cable management between patch panels
16. All UTP patch panels will be 48 port panels
17. All UTP patch panels will be separated by a 1U horizontal cable manager
18. All patch panels (Fiber and UTP) will be labeled as per ADEC Passive Components Labelling
Guide [1]
19. The Core Switch (Cisco Catalyst 4507R-E) must be installed at the 6U position in the cabinet in the
MDF
20. The Optical Termination Unit (OTU) must be installed at the 39U position in the cabinet in the MDF
21. The WAN Router (Cisco ISR 2911) must be installed at the 36U/37U position in the cabinet in the MDF
22. The Wireless LAN Controller (Cisco WLC 5508) must be installed at the 34U position in the cabinet in
the MDF
23. The IP Telephony (IPT) Voice Gateway (Cisco ISR 2921) must be installed at the 31U position in the
cabinet in the MDF
24. The first Access Switch (Cisco Catalyst 3750X) must be installed at the 30U position in the 42U
cabinets in the MDF
25. The first Access Switch (Cisco Catalyst 3750X) must be installed at the 24U position in the 36U
cabinets in the IDF
26. Additional Access Switches will be installed below the first Access Switch with a 1U horizontal cable
manager between each Access Switch
27. The first Power Distribution Unit (PDU) in 42U cabinets will be installed at the 16U position in the
rear of the cabinet
28. Additional PDUs will be installed below the first PDU in the rear of the cabinet with a 1U gap
between each PDU
29. The first Power Distribution Unit (PDU) in the 36U cabinets will be installed at the 10U position in the
rear of the cabinet
30. If there is an external 3G antenna for the Cisco ISR WAN Router it will be mounted on top of the
cabinet and secured to the cabinet
31. All equipment hosted in the MDF cabinet will connect directly to devices or to patch panels installed
within the MDF cabinet. No cross cabinet patching will be installed.
32. All equipment hosted in the IDF cabinet will connect to patch panels installed within the IDF cabinet.
No cross cabinet patching will be installed.
33. 1 meter and 3 meter UTP (Category 6) patch cords will be used for patching within the cabinet and
the appropriate colour used (as defined within the ADEC School Site Low-Level Design).
 Management VLAN Red

 Servers VLAN Red
 Admin VLAN Blue
 Teachers VLAN Yellow
 IT Labs VLAN Green
 Security VLAN: CCTV, access control Orange
 Library VLAN Yellow
 Access Point VLAN Orange
34. If equipment to be installed into a cabinet has no mounting kit, it must be placed on its own shelf,
and not on top of any other equipment in the cabinet.
Page 17 of 29
35. Upon completion of an installation in a cabinet, the installed equipment, power or networking
cabling or cable management, must not prevent the cabinet doors from closing correctly, and should
not present a trip hazard.
36. All cabinets in the School Site must be positioned as defined in the MDF/IDF Room Layout Guide.
37. All cabinets in the School Site must be physically stable and prevented from moving. Casters or
wheels must be set in a ‘locked’ position and cabinet feet should be adjusted so that the cabinet is
stable and unmovable.
38. All cabinets in the School Site must be physically secured. Upon completion of the installation of a
cabinet, the installed cabinet must be locked using the door lock. All keys must be handed over to
the ADEC designated School Site key holder. ADEC Security Processes to be defined.
39. All equipment must be clearly labeled as per the ADEC Passive Component Labeling Guideline.
40. Each piece of equipment installed in the cabinet must have the ADEC supplied asset tag label,
located as per the ADEC labeling specifications.
41. All cabinets in the School Site must display the appropriate signage:
Power Warning - Example 1
- Power Warning - Example 2
42. Any items (manuals etc) that need to be kept are clearly marked, and the Site Implementation
engineer has arranged for their storage or delivery to the ADSI Program team. No manuals are to be
stored in the cabinets.
Page 18 of 29
43. Doors removed from cabinets must be re-installed in the cabinet from which they were removed,
before the Site Implementation Engineer leaves site.
44. Disposal of rubbish (e.g. packaging) is the responsibility of the Site Implementation engineer, unless
specifically agreed with ADEC Facilities Management, in which case rubbish should be clearly marked
for disposal.
45. The work area should be tidied at the end of each working day.
46. Each Cabinet must be fully earthed with direct links from the main busbar located in the electrical
panels supplying power to the cabinets.
Table 4: Cabinet installations specifications
Page 19 of 29
Figure 6 : Sample patched cabinet
Page 20 of 29
4.6 Cabling System Labelling Specifications

A separate document is produced for the passive component labelling specifications.
4.7 CCTV Installation Specifications

 In case contractor submit an end to end solution for the CCTV system, he should deliver
Cisco switches similar to the one used by ADEC. “ADEC approval is required before delivery”.
4.8 Time attendance (FPR) Outlets Installation Specifications

o Finger Print Reader (FPR) specifications are as below:
1. Location/s: will be provided by the ADEC/consultant in the design drawings.
2. Height: The data outlet should be fitted within 1 meter of the location agreed on.
The FPR is fitted and made active by another vendor.
3. Labelling: Data Outlet, Patch Panel Port and Patch cord – no extra or different
labelling required. The data outlet itself will be labelled as per a normal data outlet.
4. Patch Cords: Same as Admin VLAN
5. Number of points: Refer to the Data Outlet Distribution Specifications Document.
6. Drawings: The FPR outlet should be identified on the drawing with a unique number
e.g. FPR01, FPR02, etc. A normal single outlet symbol will do.
Page 21 of 29
4.9 Interactive Boards/projectors Installation Specifications

Interactive Boards / Projectors
ADEC uses interactive white boards in the teaching environment in most of the class rooms in the
schools. In order to operate these boards contractor have to prepare the necessary cabling and
faceplates in class rooms and labs and do the necessary termination.
Interactive boards usually installed in the middle of the class rooms/labs, the cables and the other
connections that links the board with the computer at the teacher desk should be installed hidden
inside the wall “external trunking” is not allowed. At least 30mm or two 25mm conduits should
be prepared for the mentioned cables.
 Two face plates are required one at the back of the interactive board for the projector and
the other one near to the teacher desk.
 Single data point connect to the network is required at the back of the interactive board.
 Interactive board connections to the teachers PC are tare peer to peer connections.
Contractor should put in his consideration the USB cable limitation 5.4m.
ADEC also uses interactive projectors in some of it’s schools. The same practice for the
cable/cable trunks for interactive boards will be applied. “external trunking/exposed wires are not
allowed.
Page 22 of 29
5 EQUIPMENT DETAILS AND SPECIFICATIONS
5.1 Face Plates

The provided faceplates should be compliant with the British standards. Single-gag flush mounted
style that comes with 1 or 2 ports, decorative colour frames (navy blue and cyan blue); a flat
design or angle design 86x86x21.9mm, compliant with UTF, FTP and STP; with high density
reinforced plastic and label holder.
Figure 7: sample face plate
Figure 8 : Sample faceplate
Page 23 of 29
5.2 Cabling
There are two types of cabling namely the horizontal cabling that uses copper cables and the
backbone in which fibre is utilised along with the appropriate connectors.
The following are the approved cable manufacturers for ADEC:
S/N Brand Name Origin Market

1 3M USA
2 legrand Europe
3 Belden USA
4 Nexans Europe
5 Systimax USA
6 Leviton USA
Table 5: cable manufacturers
Copper Cables
The cable used and agreed upon CAT6.
Copper Connector (RJ45)

The RJ45 connector has the highest margin over the class E cat6 link standards. It is a tool-less
jack, reusable and includes a built-in shutter.
Fibre Cable
It is fully dielectric and fitted with aramid yarn for tensile strength. The tubes are filled with gel for
protection against water. Also the core of the cable is protected against water ingress by a swell
able tape. The cable also has a UV stabiliser sheath that makes it suitable for outdoor usage.
Fibre Connector (LC)

The LC connector small form factor has become the most popular interface for optical equipment.
The LC connector combines the ease of installation together with the advantage of splice less
direct termination in the patch panel and TOs.
5.3 Patch panel

Copper Patch Panels
The 48 port, 2 U patch panel offers the advantages mentioned below:
 Includes cable tray
 Automatically provides earth connection to jacks upon insertion
Page 24 of 29
 Dust protection for jacks

 Flexible labelling facilities (port by port)
Fibre Patch Panels

The fibre patch panel should be made from robust power coated steel and a sliding drawer with a
fixed stop for safe and easier termination. It comes with an integrated tie fixing points for 2-4 fibre
for horizontal cabling and 2 holes backbone entry through PG glands. It included also welded
threads to fix and stack DIN splicing cassettes. It included couplers enabling it to take different type
of fibre connectors.
Blanking plug (cap)
Empty ports in patch panels must be filled with blanking insert plugs.
5.4 Racks
The Specification of MDF and IDF racks are as follows
MDF
1. 42U (800 x 1000mm)
2. Metal perforated front & back door with key locks
3. Removable side door panels with locks
4. Vertical Cable managers
5. Wheel base
6. Cooling fans (4 for the 42U rack)
7. Load rating 600 Kg
8. Unique key feature (i.e. one key can open all cabinets)
9. Castors
10. Black Colour (RAL9004)
11. Total 6 PDUs for two Racks (4 X 16AMP for MDF rack) and (2 X 16AMP for IDF-1 rack)
12. U height labels to be fitted to all 19” angels
13. Built in stabilizing legs.
14. Earthing straps to connect front and back doors to the base of the cabinets [Subject to
approval of earthing Change Request to be submitted to ADEC]
IDF
1. 36U (800 x 800mm)
2. Metal perforated front & back door with key locks
3. Removable side door panels with locks
4. Vertical Cable managers
5. Built in stabilizing legs
6. Cooling fans (4)
7. Load rating 600 Kg
8. Unique key feature (i.e. one key can open all cabinets)
9. Black Colour (RAL9004)
Page 25 of 29
10. Total 2 PDUs (2 X 16AMP)

11. U height labels to be fitted to all 19” angels
12. Earthing straps to connect front and back doors to the base of the cabinets. [For new
cabinets only and not the existing ones. For the existing cabinets it is subject to approval
of earthing Change Request to be submitted to ADEC]
Page 26 of 29
6 ASSUMPTIONS AND ADEC RESPONSIBILITIES

 ADEC has to provide the acceptance on the shop drawing within an agreed timeframe.
 Passive contractor will highlight anticipated key issues and risks, and it is ADEC’s
responsibility to review and provide the acceptance. The signed report by ADEC will be the
baseline for the passive contractor to start the installation.
 Passive contractor will propose the ideal location for the outlets and the MDF/IDFs for each
site based on the available specifications provided by ADEC. However the verification and
final decision is lying within ADEC responsibility. ”refurbished schools only”
 Passive contractor will start the installation phase once the drawings are approved. Any
variance in the approved shop drawings will have to go through a change request process.
Page 27 of 29
7 TESTING PROCESS
 All Cat6 and fibre optic cables will be tested with fluke machine.
 Passive contractor will provide one PDF test results file for cat6 and fibre optic cables.
 All tested Cat6 cables should pass the fluke test as long as the cable length does not exceed
the 90 meter. However, in some cases the cable may exceed the 90 meter protocol in which
case it might pass the test depending on the testing parameters and cable condition.
Page 28 of 29
8 HANDOVER PROCESS
Upon completion of site installation, contractor will submit following handover documents to ADEC:
1. Site Passive BOQ As-Built
2. Site Passive Test Results
3. Site Data Outlet Distribution Report As Built
4. Site Floor Plan As-Built
5. MDF Rooms Layout As-Built
Page 29 of 29
Passive Components – Power and AC

Specifications
October 2013
Version 3.1.1
Abu Dhabi Schools ICT Infrastructure - Passive Components – Power and AC Specifications
Revision History
Number Date

3.0 2012-09-13
3.1 2012-10-10 Minor updates Shueib Medani
Updated on Document title, purpose of

3.1.1 02-10-2013 document and server room power
requirements.
Reviewers
Approvals

Khaled Hassan
Manager
ICT Support Section

Ali Awlaqi
Manager

Page 3 of 13
Table of Contents
1 INTRODUCTION .................................................................................................................... 5

2 SERVER ROOM POWER REQUIREMENTS “MDF” ............................................................. 6
2.1 MDF Devices Diagram: ........................................................................................................................ 6

2.2 Device List in MDF................................................................................................................................ 7
3 IDF REQUIREMENTS ............................................................................................................ 9
3.1 IDF Devices Diagram ........................................................................................................................... 9

3.2 Cisco C3750G Configuration Details.................................................................................................. 10
4 AIR CONDITIONING REQUIREMENTS ............................................................................... 11
5 TYPE OF POWER SOCKETS .............................................................................................. 12
6 GENERAL POWER SOCKETS REQUIREMENTS............................................................... 13
Page 4 of 13
1 INTRODUCTION

The objective of Power and AC specifications is to ensure that every school meets the proper
power and air conditioning requirements in all IDFs (Intermediate Distribution Frame) rooms as
well as all MDFs (Main Distribution Frame).

Page 5 of 13
2 SERVER ROOM POWER REQUIREMENTS “MDF”
The MDF is the Main Ser ver Room in Schools. This Topology is applied to all
Schools in ADEC Domain. The MDF will have t wo main c abinets: the f irst is f or
the net work devices, and the second Mostly used to hos t the f irst IDF in the
school. In addit ion t o that, a UPS will be connected to both cabinets to distr ibut e
power to all devices via a PDU supplied from the UPS.
Following is a diagram and list of all devices with the requir ed power f or each:
2.1 MDF Devices Diagram:
Page 6 of 13
2.2 Device List in MDF
Networking
Cisco 2821 Integrated Services Router

1 Device:
Total Power (Watts): 280 # of Power Cords: 2
Total Power (VA): 400 Quantity: 1
Total Thermal (BTU/hr): 956

Plug Type:
Operating Voltages: 100 or 120 or 200 or 208 or 230 IEC-60320-C13/14
Cisco 4402 Wireless LAN Controller

2 Device:

Plug Type:
Cisco ASA 5520

3 Device:

Plug Type:
Cisco Catalyst 4507R w/ two 4200 watt Redundant Mode HV

4 Device:
Page 7 of 13

Plug Type:
Server
BlueCoat Systems SG800-2 AC
5 Device:

Plug Type:
HP BladeSystem c3000 - Rackmount chassis only

6 Device:

Plug Type:
7 Device The UPS Size and Type is: 10 KVA + 2 Battery Units
APC Smart-UPS RT 10,000VA RM 230V + SURT10000RMXLI +

UPS Model
(2)SURT192RMXLBP Battery Unit (2)SURT192RMXLBP
Extra Power for future

30%
expansion:
Runtime: 41 minutes
(The UPS will be dedicated to the equipments in the MDF room, if other equipments will be connected
to the UPS “BMS or any none IT equipments”, power consumption should be calculated and UPS
Capacity might be increased to more than 10 KVA.)
Page 8 of 13
3 IDF Requirements
3.1 IDF Devices Diagram
This is the individual Distributing Panel; it will get power From Room power Outlet.
Page 9 of 13
3.2 Cisco C3750G Configuration Details
Power Consumption/Heat Dissipation Summary
Product Percentage of Total PoE Total PoE Total PoE Total Heat Dissipation
PoE Power used Output Output Output (BTU/Hr)
Power Available Power Used Power
(W) (W) Remaining
(W)
WS-C3750G- 80.43 % 370.00 297.60 72.40 527.28

48PS
Every IDF will have a total of 4 1480.00 1190.4 289.6 8436.48

Switches
Page 10 of 13
4 Air Conditioning Requirements

Every server room (MDF) must have its own dedicated split unit AC with a dedicated power source. AC
requirements in MDF should meet the following specs:
1) 1.5 Ton
2) Minimum Temperature is 16
3) Humidity control from 65 – 85
4) Water Drainage
Every IDF should have an AC vent supplying cool air from the existing building AC.
Page 11 of 13
5 Type of Power Sockets
S/N Room type Number of Sockets Power Rate Isolator

1 MDF 6 Industrial sockets 16amp Required
2 IDF 2 Industrial sockets 16amp Required
3 ODF 2 industrial sockets 13amp NA
Page 12 of 13
6 GENERAL POWER SOCKETS REQUIREMENTS
The selected vendor will be responsible for installing additional power sockets as per the following
requirements:
1) IT labs will have 32 dual sockets

2) Every Data point must have 1 dual power socket
Page 13 of 13
Passive Components – Labeling Specifications
October 2013
Version 3.0
Abu Dhabi Schools ICT Infrastructure - Passive Components – Labeling Specifications
Revision History
Number Date

3.0 2012-09-13
Reviewers
Approvals

Khaled Hassan
Manager
ICT Support Section

Ali Awlaqi
Manager

Table of Contents
1 INTRODUCTION .................................................................................................................... 4
2 NAMING CONVENTION......................................................................................................... 5
2.1 Site Type............................................................................................................................................... 5

2.2 Site ID ................................................................................................................................................... 5
2.3 Distribution Frame Type ....................................................................................................................... 5
2.4 Distribution Frame No........................................................................................................................... 5
2.5 Device Role .......................................................................................................................................... 6
2.6 Face Plates........................................................................................................................................... 6
3 LABELLING SPECIFICATIONS............................................................................................. 7
3.1 Rack labelling ....................................................................................................................................... 7

3.2 CAT6 Labelling ..................................................................................................................................... 7
3.2.1 Cat6 Face Plate Labelling ................................................................................................................ 7
3.2.2 CAT6 Patch Panel Labelling ............................................................................................................ 8
3.2.3 CAT6 Patch Cord Labelling (MDF/IDFs).......................................................................................... 8
3.3 Fiber Optic Labelling............................................................................................................................. 9
3.3.1 Fiber Patch Panel Labelling ............................................................................................................. 9
3.3.2 Fiber Patch Cord Labelling............................................................................................................. 10
3.3.2.1 On Intermediate Distribution Frames (IDF)................................................................................ 10
3.3.2.2 On Main Distribution Frame (MDF)............................................................................................ 11
Page 3 of 13
1 INTRODUCTION
The purpose of this document is to provide the labelling specifications which the Passive
Contractor(s) will use during the implementation for all the ADEC sites. Labelling scheme has to be
approved by ADEC before the implementation phase. All label printing will be created using a label
machine [black on white, self laminating labels]. All labelling information will be recorded on the
final site layouts.
Page 4 of 13
2 NAMING CONVENTION
Below is the list of abbreviations that will be used.
2.1 Site Type
 The site designator indicates the type of site. The table below depicts the types of sites which
exist in the ADEC network:
Site Type Abbreviation

School s
Zone
o
Office
2.2 Site ID
 The site ID corresponds to the ADEC ERP site ID. The following naming conversion rules
apply to the site ID field in the naming convention:
o The site ID will consist of three digits
o If the ERP site ID is less than three digits then leading zero will be added to the ERP
site ID to remain consistent with the three digit rule.
 The table below depicts how the ERP site ID will be encoded as a site ID in the naming
convention:
ERP Site ID Site ID

1 0001
12 0012
150 0150
1001 1001
2.3 Distribution Frame Type

 The DF type field in the naming convention represents the type of the distribution frame.
 The DF type will be represented in the naming convention using a single charter.
 The table below depicts the different types of distribution frame and how they are encoded
into the naming convention:
Distribution Frame Name Abbreviation

Main Distribution Frame m
Intermediate Distribution Frame i
2.4 Distribution Frame No.

 The DF number represents the number of the distribution per site.
 The following naming convention rules apply to the DF no. field in the naming convention:
Page 5 of 13
o The DF no. will consist of two digits.

o If the actual DF no. is less than two digits then a leading zero will be added to the DF
no. into the naming convention.
 The table below depicts how the actual distribution frame number will be encoded as a DF no.
into the naming convention:
Distribution Frame Number Abbreviation

1 01
2 02
15 15
2.5 Device Role

 The device role field in the naming convention will indicate upon the role of the device in the
overall architecture.
 The table below depicts the abbreviations for the various components found within ADEC
network which will be incorporate with the passive system:
Item Abbreviation
Core Switch csw
Access Switch asw
Router Rtr
Fiber panel fpp
UPS ups
WAN Optimization (WAAS) wop
Monitor mon
Server srv
WLC wlc
2.6 Face Plates

 The face plate field in the naming convention will indicate the abbreviation which will be used
for all point from the user side.
Item Abbreviation
Wireless Access Point W
IP CCTV C
Page 6 of 13
3 LABELLING SPECIFICATIONS
3.1 Rack labelling

 All racks will be labelled with a proper naming convention [black on white, self laminating
labels].
 School names to be labelled on the racks.
 The rack labelling will consist of 4 fields:
o The site type
o The School ID
o DF Type
o DF No. (for Intermediate Distribution Frame only)
 The table blow shows examples of rack labelling:
Racks Labelling
Site Type School ID DF Type DF No. Example
S 453 m - S453-m
S 453 i 01 S453-i1
3.2 CAT6 Labelling

3.2.1 Cat6 Face Plate Labelling
 Each user side outlet shall be labelled on the space provided on the faceplate and the size of
the labelling will be the same as available in the 3M faceplate model.
 The “dual port” face plate label for the normal data/voice outlet will consist of 4 fields:
o The DF type
o The cat6 patch panel port ID (first port)
o The cat6 patch panel port ID (second port)
 The “single port” face plate label for the wireless access point and CCTV outlet will consist of
3 fields:
o The DF type
o The cat6 patch panel port ID (dedicated patch panel for WAP & CCTV)
 Inactive data outlets will have the same labelling but with an extra label on top of the faceplate
showing “inactive”.
 Each single inactive outlet will have a separate label showing the inactive status of the port.
However, if both dual outlets are inactive then one label per outlet will be used.
 The table below shows examples of face plate labelling:
Face Plate Labelling
DF Type DF No. CAT6 Patch Panel Port ID CAT6 Patch Panel Port ID Example
i 1 W01 N/A i01-W01
i 2 C02 N/A i02-C02
i 12 C20 N/A i12-C20
i 3 5 6 i03-5/6
Page 7 of 13
3.2.2 CAT6 Patch Panel Labelling
 Each patch panel shall be labelled on the space provided for labelling and the size of the
labelling will be same as available in the 3M patch panel.
 The ports on data/voice patch panel will be labelled on sequence, so it will be from 1 to 48 for
patch panel 1, and from 49 to 96 for patch panel 2, and so on.
 The last data/voice patch panel may not be fully populated. e.g.: data outlets required is less
than 48, 96, 144, etc.
 The left side half of the Wireless Access Points and CCTV patch panel will be dedicated for
wireless points starting from W1 to W24
 The right side half of the same patch panel will be dedicated for CCTV points starting from C1
to C24
 The table below shows examples of patch panels labelling:
3.2.3 CAT6 Patch Cord Labelling (MDF/IDFs)
 All patch cords in MDF/IDFs will be labelled [black on white, self laminating labels].
 Sticker label will be used to label both sides of cables end with same label.
 The patch cord from the DF side will be labelled. The patch cords from the user side (desktop)
will not be labelled.
 The cat6 patch cord label for IDFs will consist of 3 fields:
o The switch name
o The switch port ID.
o The cat6 patch panel port ID which the switch is connected to.
Page 8 of 13
 The table below shows examples of cat6 patch cord labelling for IDF:
CAT6 Patch Cord Labelling (IDFs)

Patch Panel
Switch Name Device Port ID Example
Port ID
s453-i12-asw001 02 02 asw001-02-02
s453-i12-asw002 03 51 asw002-03-51
s453-i12-asw003 15 111 asw003-15-111
 The cat6 patch cord label for MDF will connect between the Wireless Controller and the Core
Switch, and will consist of 4 fields:
o Device name (Wireless Controller)
o Port number of the Device (Wireless Controller)
o Device name (Core Switch)
o Slot number/Port number of the device (Core Switch)
 The table below shows examples of cat6 patch cord labelling for MDF:
CAT6 Patch Cord Labelling (MDF)
Device Port
Device Name Device Name Device Port ID Example
ID
WLC 1 CSW 1/7 WLC1-CSW1/7
3.3 Fiber Optic Labelling

3.3.1 Fiber Patch Panel Labelling
 Each 3 duplex ports (i.e. 6 ports) will be assigned for a single DF.
 The fiber optic patch cord label will consist of 3 fields:
o The distribution frame type and No. (For Intermediate Distribution Frame)
o The fiber optic patch panel port ID (duplex)
 The table below shows how fiber optic patch panels must be labelled in DFs:
Fiber Patch Panel Labelling (On Main Distribution Frame)
1 3 5 7 9 11 13 15 17 …… 23
2 4 6 8 10 12 14 16 18 ……. 24
i1-01 i1-02 i1-03 i2-04 i2-05 i2-06 i3-07 i3-08 i3-09
Page 9 of 13
Fiber Patch Panel Labelling (On Intermediate Distribution Frame 1)

1 3 5 7 9 11
2 4 6 8 10 12
m-01 m-02 m-03
Fiber Patch Panel Labelling (On Intermediate distribution Frame 3)
1 3 5 7 9 11
2 4 6 8 10 12
m-07 m-08 m-09
3.3.2 Fiber Patch Cord Labelling
 The fiber optic patch cord label will consist of 3 fields:

o The switch name.
o The port ID of the switch.
o The duplex port ID from the fiber patch panel that the switch is connected to.
3.3.2.1 On Intermediate Distribution Frames (IDF)
 On a standalone switch: a fiber patch cord will be connected from the first duplex port on
the fiber patch panel to uplink port 1/1/1 (G1) on the switch. And a fiber patch cord will be
connected from the second duplex port on the fiber patch panel to uplink port 1/1/2 (G2).
 The table below shows examples of fiber optic patch cord labelling on a standalone switch:
Access Switch (Standalone) Fiber Optic Patch Cord Labelling

Switch Uplink
Switch Name Patch Panel Port ID Example
Port ID
s453-i01-asw001 G1 01 asw001-G1-01
s453-i1-asw001 G2 02 asw001-G2-02
 On a switch stack of 4 switches: a fiber patch cord will be connected from the first duplex
port on the fiber patch panel to uplink port 1/1/1 (G1) on the switch. And a fiber patch cord
will be connected from the second duplex port on the fiber patch panel to the first port in the
last switch which is uplink port 4/1/1 (G1).
 The table below shows examples of fiber optic patch cord labelling on a switch stack of 4
switches:
Page 10 of 13
Access Switch (Stacked) Fiber Optic Patch Cord Labelling

Switch Uplink
Switch Name Patch Panel Port ID Example
Port ID
s453-i02-asw001 G1 04 asw001-G1-04
s453-i02-asw004 G1 05 asw004-G1-05
3.3.2.2 On Main Distribution Frame (MDF)
 Each 3 ports in the fiber optic patch panel will be reserved for one Intermediate Distribution
Frame. For example:
o Ports 1,2,& 3 are assigned for i1
o Ports 4, 5, & 6 are assigned for i2, etc…
(A) For IDF1 (i1)

 Two fiber patch cords will be connected from:
1. The first duplex port on the fiber patch panel (i1-01) to uplink 1/11 in slot-1 on the
core switch, as per Active Components LLD Port Reservations.
2. The second duplex port on fiber patch panel (i1-02) to uplink 2/11 in slot-2 on the
core switch, as per Active Components LLD Port Reservations
 The table below shows examples of fiber optic patch cord labelling:
Fiber Optic Patch Cord Labelling for Core Switch s453-m01-csw001

Core Switch Slot ID/Port ID Fiber Optic Patch Panel Port ID Example
1/11 i1-01 csw001-1/11 – i1-01
2/11 i1-02 csw001-2/11 – i1-02
(B) For IDF2 (i2)

 Two fiber patch cords will be connected from:
1. The fourth duplex port on the fiber patch panel (i2-04) to uplink 1/12 in slot-1 on the
2. The fifth duplex port on the fiber patch panel (i2-05) to uplink 2/12 in slot-2 on the
 The table below shows examples of fiber optic patch cord labelling:
Fibre Optic Patch Cord Labelling for Core Switch s453-m01-csw001

Core Switch Slot ID/Port ID Fibre Optic Patch Panel Port ID Example
1/12 i2-04 csw001-1/12 – i2-04
2/12 i2-05 csw001-2/12 – i2-05
 The table below shows how the slots on the Core Switch in the MDF will show:
Slots on Core Switch
port port port port
Slot-1 ......... .........
1/1 1/12 1/13 1/24
port port Port Port
Slot-2 ......... .........
2/1 2/12 2/13 2/24
Page 11 of 13
 Core Switch (for schools) – Slot 1 & 2 Port Reservations ‘Active Components LLD Port
Reservations’ Table
Port Reservation Reason

1 WAN Router
2 IPT Router
This will need to be reviewed for individual Zone Offices
Page 12 of 13
Shape 1: Sample VLAN color codes & Labeled patch cords
Page 13 of 13
Scope of Work and Specifications for

Projectors and Interactive Board Systems
October 2013
Version 2.2
Revision History
Number Date
Final version prepared for Abu Dhabi Future
2.0 2012-09-13 Yousef Alreyami
Schools Program – Phase 4
Yousef Alreyami
2.1 2012-10-10 Minor updates
Shueib Medani
- Required devices/ equipments.
- new paragraph 1.3.3 Interactive boards
height
- 1.3.3 AV cables / Cords.
- 1.3.4 external trunking / exposed wires
2.2 04-03-2013 Shueib Medani
- Page 8,9 display resolution changed to
generic spec.
- P8 Branded Photos removed.
- Sample Projectors / IWB added for
illustration purposes.
Reviewers
Approvals

Khaled Hassan
Manager
ICT PMO Section

Yousef Alreyami
Manager
ICT Support Section

Ali Awlaqi
Manager

SoW and Specifications for Projectors and Interactive Board Systems
Table of Contents
Table of Contents .............................................................................................................................. 3
1 Scope of Work........................................................................................................................... 4
1.1 Required Devices/Equipments and Quantities.................................................................... 4
1.2 Site Survey .......................................................................................................................... 5
1.3 Installation Requirements .................................................................................................... 5
1.3.1 Mock-up Installation.................................................................................................................. 5
1.3.2 Cabling and Termination........................................................................................................... 5
1.3.3 AV cables & cords ..................................................................................................................... 5
1.3.4 External Trunking & exposed wires .......................................................................................... 5
1.3.5 IWB height from the floor.......................................................................................................... 6
1.3.6 Trash Removal........................................................................................................................... 6
1.4 Training Requirements ........................................................................................................ 6
1.4.1 Quick Reference Manuals.......................................................................................................... 6
1.4.2 Laminated Posters:.................................................................................................................... 6
1.5 Support and Maintenance Requirements............................................................................ 7
1.5.1 Response and Resolution Time .................................................................................................. 7
1.5.2 Swappable Units........................................................................................................................ 7
1.5.3 Warranty.................................................................................................................................... 7
1.6 Asset Management.............................................................................................................. 7
1.7 Handover Documentation.................................................................................................... 7
2 Technical Specifications .......................................................................................................... 9
2.1 Ultra Short Throw Projector ................................................................................................. 9
2.2 Interactive Whiteboard System.......................................................................................... 10
2.3 Educational Software bundled with Interactive Whiteboards ............................................ 11
2.4 Pre-approved Manufacturers List: ..................................................................................... 11
2.5 Sample Interactive Boards for class rooms “for illustration purpose only” ........................ 12
2.6 Sample mobile trolleys for interactive boards “for illustration purpose only” ..................... 13
Confidential Page 3 of 13
1 Scope of Work
Interactive Boards Supplier is requested to provide the following:
1. Supply ICT devices listed hereunder that meet the requirements of ADEC.
2. Delivery and asset tagging of all devices in scope.
3. Installation services as a fully integrated solution.
4. Testing & commissioning services.
5. Staff Training (Teachers) and technical training for ADEC support engineers.
6. Warranty and ongoing support (4 years).
1.1 Required Devices/Equipments and Quantities

The table below summarized the required devices/equipments and their quantities. Detailed
specifications are provided in the following sections. The list does not specify the quantities for
cabling, face plates and software licenses required for the installation.
Projectors & Interactive

LCD/LED Screen
Boards
LRC 1 1 (mobile)
Cafeteria 1
Lobbies 1
Gyms 1
Reception 1
Principal office 1
Meeting Rooms 1 per room

Classrooms, labs, other
1 per room
instructional spaces, …
Important Remarks:
1. If the LRC design does not allow for the installation of interactive board on the wall (i.e.
glass walls), the interactive board and projector should be installed in proper mobile trolley.
The CONTRACTOR is responsible to supply the trolleys.
2. For KGs, adjustable height brackets are required for all classrooms.
3. In Classrooms, the solution must include the following:

a. Built in PC with the interactive board system
b. Wall Plate to allow connection of second PC for video, audio and interactivity. The
second PC will be typically be the teacher desktop PC.
c. Wall Face Plate to power the system and control the volume and sources
4. Audio, Video and DATA (interactivity) connections should be terminated to the teacher desk.
5. All interactive board systems require speaker systems to output audio.
1.2 Site Survey

Prior to delivery and installation activities, CONTRACTOR is required to conduct site surveys to
examine the readiness of the existing cabling, power and networking infrastructure and make sure
that all pre-requisites are in place for the above items to be commissioned. CONTRACTOR will be
responsible for highlighting and addressing any missing components and/or prerequisites in their
proposals.
1.3 Installation Requirements

ADEC is seeking an end-to-end working integrated solution. CONTRACTOR is required to install all
components and configure devices to work with desktops, LAN/WLAN if applicable. Under no
condition will the CONTRACTOR require ADEC to provide any cables, connectors, or brackets of
any type. The installation must include all cables, connectors, splitters, brackets, power
adaptors...etc.
1.3.1 Mock-up Installation
ADEC will request the contractor to prepare mock-up of the installation for approval
1.3.2 Cabling and Termination
All cabling for the A/V solutions is within the scope of the contractor including all face plates,
adapters and required. Face plates are generally required in the device side and near the computer
desk connected to the projector.
Any computer adapter that is required for the system must not be connected to external power
supply. In all rooms, both the projector and computer display must be displaying the computer
output.
All devices must be connected to the network for central management
CONTRACTOR will be required to manage and label all cables. Loose and unmanaged cables will
not be accepted.
1.3.3 AV cables & cords
Contractor/Interactive boards supplier is required to provide all the necessary AV cables and wires
(HDMI, VGA, AUDIO, .. etc) to connect teacher desktop PC to the IWB faceplate in the wall near to
the teacher desk.
1.3.4 External Trunking & exposed wires
External trunking and exposed wires (AV, data or power) is totally not allowed in the schools, all
connections for AV or LED systems should be hidden and not visible for any reason.
1.3.5 IWB height from the floor
Interactive boards should be installed at the following height above the floor in all learning spaces:
1- In height adjustable rack for KG.

2- 90cm above the clear floor level for cycle 1, cycle 2 and cycle 3.
3- In library and music rooms in case of soft wall “acoustic walls” IWB should be installed in
Mobile trolley with rack to host a lab top or PC.
1.3.6 Trash Removal
CONTRACTOR will be required to remove all empty boxes and other trash produced by the
installation / delivery outside the school premises. Upon completion of the installation,
CONTRACTOR must clean the installation area and leave it in dust free condition.
1.4 Training Requirements

The CONTRACTOR is required to conduct 4-hour training session in every school. More sessions
will be required based on the number of staff in each school. On average, each session should
accommodate 30 teachers/school staff. The training sessions must be closely coordinated with the
school’s principal and must include the following components:
1. A hand out explaining all the steps required to operate the required devices.
2. The hand-out must be bilingual - English and Arabic
3. The hand out must be detailed and has screen shots of actual steps. Soft copies of
handouts must be submitted to ADEC for approval prior to conducting training sessions.
4. The handout must also include a section on basic trouble-shooting
5. CONTRACTOR is required to have the principal sign-off that the training has taken place in
a satisfactory manner. Copies of the training sign off forms are to be submitted to ADEC
ICT. Form to include school name, name of attendee, ADEC employee number, date and
signature.
6. The CONTRACTOR is also required to conduct training for ADEC support technicians on
basic troubleshooting and get sign-off on the training from ICT Support. This is required at
least once for each region (Abu Dhabi, Al Ain , Western)
1.4.1 Quick Reference Manuals
The CONTRACTOR will be responsible for developing a laminated quick reference manual for every
school (in English and Arabic) that describes how to operate all the above items. The manual will be
prepared professionally in full colour. Instructions have to be simplified with easy to follow steps
supported with colour screen shots and images. All pages must be laminated.
1.4.2 Laminated Posters:
The CONTRACTOR will be responsible for developing and hanging “how to operate" posters in full
colour for every lab. The poster will be laminated and professionally framed and prepared in both
English and Arabic.
1.5 Support and Maintenance Requirements

All assets will be handed over to ADEC ICT upon completion of the delivery and installation, and
ADEC ICT will maintain direct contact with the CONTRACTOR for the maintenance and support.
The CONTRACTOR will sign a contract with ADEC that includes the SLA terms and conditions
mentioned below for 4 years. SLA violations will be monitored closely and penalties will be applied
as agreed with the Procurement & Contracts Division.
1.5.1 Response and Resolution Time
 Response Time: Next Business Day onsite
 Resolution Time: 48 Hours
 All parts and labor (including transportation) must be covered by the CONTRACTOR
1.5.2 Swappable Units
CONTRACTOR will be required to have standby units available in stock so failing units can be
replaced with working ones while they are being repaired. Under no condition will ADEC accept
delays beyond what is mentioned on the SLA requirements above.
1.5.3 Warranty
CONTRACTOR is requested to provide 4-year comprehensive warranty on the supplied items.
1.6 Asset Management
The CONTRACTOR must adhere to the following procedures and processes:
1. CONTRACTOR must produce and place bar codes for each item as per ADEC guidelines.
2. CONTRACTOR must submit an electronic spreadsheet of all items delivered as per ADEC
template. Information must include school name, items, serial numbers, device name,
device type & model, vendor name, warranty dates.
1.7 Handover Documentation

At the end of any milestone of the project, ADEC ICT requires the documents listed below (soft
copies).
No Document(s) Remarks
Asset Sheet – final sheet including the details of all As per ADEC template
1
devices delivered
2 Related Training Acknowledgement
3 Related Test Reports
4 User and Technical Manuals
SLA Document/O&M, and copies of Mentioning support channels and agreed

5
warranties response times
2 Technical Specifications
2.1 Ultra Short Throw Projector
Projector Type Ultra Short Throw

Mount Manufacturers Original Wall Mount
Projection Technology 3LCD or equivalent
Projector must be capable of projecting onto a wall, white board, or
Blackboard Mode
chalkboard.
Resolution Optimal resolution for sharp reasonable display.
HDTV Compatibility 480i, 480p, 576i, 576p, 720p, 1080i, 1080p
Brightness At least 3000 Lumens
Contrast 3000:1
Distance from Wall 0.1 – 0.4 m
Lamp Life (Normal/ECO) 4000/6000 Hours
Video Input 1xRCA,1xS-Video, 1xHDMI, 1X VGA
Audio Input 2xStereo Mini Jack, RCA
Computer Input 1xD-sub (15pin RGB), 1xUSB
Microphone Input 1xStereo Mini jack
Network (Presenting &
Built in RJ45
Monitor)
Wireless Networking Yes
Integrated Sound Built in speakers
Lamp Warranty 4 years (regardless of hours)
Projector management
Based on open source. Must be included.
software
Sample Ultera Short Throw Projectors (Illustrative only)
2.2 Interactive Whiteboard System
Board Size 65Inches

Resolution Optimal resolution for sharp reasonable display.
Pen Output 200 points per inch
Surface Low glare melamine
Qty: 2 Cordless battery-free pens included
Pointing Device The board must support input by touch (without pen)
Board must remain fully functional in case pen is lost or damaged
Power UAE compliant
LAN Connectivity Supported
Integrated with the interactive board if speakers not built in the board
Sound
it should be slim enough to fit at the back of the board.
Operating Systems
Windows Vista, Windows 7, MAC, and Linux
Supported
At least intel 2.5 Ghz i5 dual core processor, SATA 500 GB HD, 4GB
Built in PC
RAM expandable to 8GB
2.3 Educational Software bundled with Interactive Whiteboards
 CONTRACTOR must include free educational Software integrated with the interactive
whiteboards
 The CONTRACTOR must provide a list of all included packages
 The software provided must include free upgrades
 The software must include free clipart library, images, video, common shapes and symbols:
Included and screened for UAE culture suitability
 Compatibility: Windows XP and above
 Network ready: Yes
 Arabic Support: Yes
Editing Features:
 Erasing & rearranging of notes: Yes
 Inserting Flash files: Yes
 Attach files to objects: Yes
 Attach web links: Yes
 Convert hand written notes to text: Yes
 Move notes form page to page: Yes
 Sort pages: Yes
 Save lessons: Yes, Save notes written over software applications directly into the
application such as PowerPoint, Word and Excel
 File formats support: Save notes in different file formats including: HTML, JPG, GIF, PNG
and PDF
 Printing: Yes
2.4 Pre-approved Manufacturers List:

Below is the list of manufacturers that are pre-approved by ADEC for the different components of
the project. If the CONTRACTOR wishes to supply items from other manufacturers (of similar
quality), explicit approval from ADEC is required.
 Brackets/Trolleys: Chief, Emmymount. SMS

 Cables: Extron, Belden
 Connectors: Extron, Nuetrik, Canare
 Speakers: Bose, JBL
 Projectors & Interactive Boards: Hitachi, EPSON, SMART, Promethean
2.5 Sample Interactive Boards for class rooms “for illustration purpose only”
2.6 Sample mobile trolleys for interactive boards “for illustration purpose only”
Preferred interactive board mobile trolley should have a rack to host a PC or Lab top
ADEC FA PROJECT
Site Readiness Checklist (Pre-requisite)- GENERAL
School ID : Area: AIN AL FAYDA- Abu Dhabi
School Name: Phase 7-Co-Edu School
Principal Name & Contact Number: Date: 25-09-2017
Description Yes / No Remarks
General Site Readiness Pre-requisites
Sites should be ready as per the agreed schedule
Sites should have 24x7 access for ongoing work
Appropriate ADEC personnel and/or representatives should be made available for receiving of materials delivery & signing of Delivery Notes
Appropriate ADEC personnel and/or representatives should be made available for witnessing and signing/stamping Acceptance checklists
Equipment orders should be made at the appropriate times to ensure equipment availability
Site Specific WAN/ACTIVE/IPT equipment consignments (as per requested BoQ) should be prepared and made available for pickup from ADEC
warehouse
OLD cabinets should be removed prior to start of CISCO implementation
OLD Wiring should be removed prior to start of implementation
Appropriate GPS coordinates and School contacts, Exact School IDs and School Names in English should be provided
Duly completed PAS sheets should be provided for IPT configuration
English & Arabic IVR recodings should be provided for IPT configuration
Appropriate WAN & Analog orders need to be placed for relevant Sites
All patch cords should be made available by ADEC/ADEC Passive Contractor
Secure Interim storage of materials and tools should be provided whilst the work on the sites is in progress
Additional Comments / Remarks :
Ready for Implementation (Yes / No) ADEC Representative Name:

ADEC FA PROJECT
Site Readiness Checklist (Pre-requisite)- Civil, M&E
Civil Pre-requisites
Lead in Duct for WAN should be available prior to WAN installation
Any Work-on-Site (in MDF/IDF rooms) should be completed for Cisco Implemenatation (e.g. no ongoing painting work etc.)
All rooms at the Site should be ready for Cisco AP installation
All rooms should be accessible (not locked)
ADECs M&E Contractor to provide the MDF/IDF room ready with Partitions, AC and Industrial Power
Room Dimensions, Racks & Space Requirements
MDF Room is selected as per guidelines (i.e. for e.g. no principal room or classroom selected)
MDF Room is minimum 3x3 meters
Minimum 1 meter space is available front & back of MDF & IDF racks
Two Racks available (one for MDF, one for IDF) in the MDF room
Minimum space of 3x2 meters for IDFs is available in respective room

MEP Readiness (MDF/ IDF 1 Room)
6 Industrial power sockets 16 Amp installed (Commando, Female)
Distance between MDF / IDF 1 Rack and Industrial Socket is less than 3 meters
6 PDUs (4 MDF, 2 IDF1) are connected to Industrial Sockets
Inspection / Verification that 6 PDUs are powered up. (Blue LED)
Industrial Socket labelled as per guidelines
Laminated labeling on racks
Grounding/Earthing provided to each rack
MEP Readiness (IDF 2 Room)
Distance between IDF 2 Rack and Industrial Socket is less than 3 meters
2 PDUs are connected to Industrial Sockets

Partitioning & Air Conditioning
Partitioning is created in DF room as per DF room layouts (If Required)
Partition is created as per guidelines and to Principal satisfaction
Air Conditioning is available and operational in all the MDF/IDF rooms
Tidiness & Cleaning
Vendor has cleared & cleaned the site after Civil / Mechenical & Electrical Work
PDUs installation & trunking completed in tidy manner
Remaining Installatoin material & tools removed from School
Working areas are cleaned & are tidy to client satisfaction
DF Rooms cleared & cleaned & are in tidy condition
Ready for Implementation (Yes / No) ADEC Representative Name:

ADEC FA PROJECT
Site Readiness Checklist (Pre-requisite)- PASSIVE
Room Dimensions, Racks & Space Requirements

MDF Room is minimum 3x3 meters
Minimum 1 meter space is available front & back of MDF rack
Two Racks available (one for MDF, one for IDF) in the MDF room
Minimum space of 3x2 meters for IDF is available
Cabling And Trunking (Installation & Testing)
Trunk installation completed as per guidelines
Trunking accessories installed
CAT-6 Cable pulling completed
Cable termination completed on both ends

CAT-6 Cables of the same VLAN types are grouped and teriminated
togather in Patch Panel
CAT-6 Cables of the same VLAN types are grouped togather in the
same sequence shown in the Passive Guidelines V2.3
Face plates installed & labelled as per guidelines (Boys / Girls)
Passive related Civil work completed
Fiber run between MDF & IDF completed and terminated
Drop Fibre from telephone room to MDF rack pulled by ADEC Passive Contractor
All fiber is placed in plastic tubing

Copper (CAT-6) Cable testing completed
Fiber testing completed
BLUE 3 meter patch cords delivered in school by ADEC Passive Contractor (110% of number of points) (for USERS)
WHITE 1 meter patch cords delivered in school by ADEC Passive Contractor (110% of number of APs (for Aps)
YELLOW/ORANGE 2 meter patch cords for patching delivered in school by ADEC Passive Contractor (110% of number of points) (for rack patching)
MDF Rack
Rack Installed (Correct Dimensions & Securely fixed to the surface)
Rack front & back door installed
Rack side panels installed
Right & Left vertical cable managers installed
Horizontal Cable managers installed as per rack layout
4 PDUs fixed in the rack & labelled as per guidelines
4 PDUs plugged into the 16 AMP wall sockets
Inspection / Verification that 4 PDUs are powered up (Blue LED)
Industrial Sockets & PDUs are labelled as per guidelines

Fiber Patch panel installed & Labelled as per guidelines
Rack fans Powered On & Operational
Rack Labelled as per guidelines
Fiber Patch cords connected
Fiber Patch cords Sleeves Installed
Fiber Patch cords labelled
Fiber Optic Tube fixed at the back of the vertical cable manager
Fiber Patch Cords placed inside a plastic tubing that runs at the back
of the vertical cable manager
Fiber cable is placed in plastic tubing
IDF Rack 1
Rack Installed (Securely fixed to the surface)
Horizontal Cable managers installed as per MOCKUP
UTP Patch Panel installed & Labelled as per guidelines
UTP Patch cords connected as per colour coding
UTP Patch cords labelled on both ends
Fiber is placed in plastic tubing
IDF Rack 2

IDF Rack 3
IDF Rack 4
IDF Rack 5
Tidiness & Cleaning
Vendor has cleared & cleaned the site after Civil & Passive Work
Cable/Termination/Conduit trunking closed & is in tidy condition
Remaining Installatoin material & tools removed from School
Working areas are cleaned & are tidy to Principal satisfaction
DF Rooms cleared & cleaned & are in tidy condition
MDF / IDF racks are free from dust
DF Rooms secured & keys handed over to Security Guard.
Availability of Required Resources
ADEC Passive contractor available on-site during ACTIVE implementation
Passive site CAD drawings (with all data points, AP locations etc) available (as-built)
Passive Port Allocation Sheet (PAS) & Outlet Distribution Sheets available (as-built)
Site Ready for Implementation (Yes / No) ADEC Representative Name:

Part G.9 Appendix I - ADEC ICT Guidelines

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Part G.9 Appendix I - ADEC ICT Guidelines

Uploaded by

Copyright:

Available Formats

ABU DHABI FUTURE SCHOOL PROGRAM - PHASE 7

AIN AL FAYDA - NEW EXTENSION

ISSUED FOR CONSTRUCTION

VOLUME 3 - TECHNICAL SPECIFICATIONS

PART G.9 - APPENDIX I – ADEC Information & Communication

G.1 APPENDIX A - GEOTECH REPORT

INDEX PAGE1OF1 FEBRUARY 2018

2. ADEC: Information & Communication Technology (ICT) Division: Standard Operating

Responsibility Matrix for New Schools Projects Project

Main Responsibilities during Design & Project Delivery

1) Provide ICT guidelines, specifications, SLA

1) Provide ICT guidelines, specifications, SLA

1) Deliver and install the items based on ICT

1) Deliver and install based on ICT guidelines

1) Provide ICT guidelines for furniture, power

1) Provide ICT guidelines for furniture, power

Connect the school to core network services:

Network configuration (if required)

Abu Dhabi Education Council (ADEC) – School Project

Turn the television or radio antenna until the interference stops.

Move the equipment farther away from the television or radio.

INTELLECTUAL PROPERTY RIGHTS:

Document Title V1.6

5. Document Acceptance Certificate 12

8. Physical Network Design 47

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

8.3.1 Network Connectivity 52

9. Logical Network Design 63

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

9.7.3 DHCP for the APs 76

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

9.9.8 Restricting Access using Access Control Lists (ACLs) 88

10. Wireless Infrastructure 89

11. Appendix A – School Dependencies 104

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

13. Glossary 106

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

Table 46 WLAN / SSID 101

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

Author: Stephane Picard/ Zarar Ismail /Nadeem Akbar/Chady Saad

4.1 Review and Distribution

4.2 Modification History

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

Title: ADEC Infrastructure and Wireless LLD

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

 Members of the ADEC, Etisalat and Musanada team

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

6.3.2 Out of scope

Table 2 Out of Scope

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

6.4 Key Design Decisions

Table 3 Key Design Decisions

KDD Decision Ref Owner

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

KDD11. Access to SSH 9.9.7.7 Tiered Access Privileges ADEC

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

KDD36. Access to the 9.9.8.2 Guest Access ADEC

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

KDD46. DHCP snooping 9.6.3 DHCP Snooping ADEC

ADEC Infrastructure and Wireless LLD CISCO CONFIDENTIAL

KDD53. The wireless 10.9.3 Client IP Addresses ADEC