Agenda 03/24/2020 Item #16A12 (Resolution - FDOT LAP Agreement)03/24/2020
EXECUTIVE SUMMARY
Recommendation to approve a Local Area Program (LAP) Agreement with the Florida
Department of Transportation (FDOT) where, Collier County would receive reimbursement up to
$1,108,409 to update and standardize the Intelligent Transportation System (ITS) network
communication between local agencies (Collier County and City of Naples) and the Florida
Department of Transportation (FDOT); to authorize the purchase of network equipment, requisite
accessories, licensing, maintenance and technical support, listed in the LAP Agreement; to execute
a Resolution memorializing the Board's action and authorize all necessary budget amendments.
(Project No. FPN 435013-1-98-01)
OBJECTIVE: To procure, install and configure Network equipment, requisite accessories, licensing,
maintenance and technical support, to update the network and standardize communication between the
Florida Department of Transportation’s (FDOT), the City of Naples’ and Collier County’s network.
CONSIDERATIONS: By updating our environment to a standardized network, the local agencies and
the FDOT will be able to share data and streaming video and relocate control of the Advanced Traffic
Management Systems (ATMS), to the Emergency Operating Center (EOC) when required. The FDOT
will reimburse Collier County up to the amount of $1,108,409, as specified in the attached LAP
Agreement.
Upon approval by the Board of this LAP Agreement, Traffic Operations Staff plan to procure the network
equipment, requisite accessories, maintenance, licensing and technical support, as per Exhibits “A, P &
Q” of the Agreement, using a Request for Professional Services.
FISCAL IMPACT: A budget amendment is necessary to recognize FDOT Grant Funds, in the amount
of $1,108,409 within the Transportation Grant Fund 711, Project 33666. The funding source is the
Federal Highway Authority (FHWA); whereby, these grant dollars are passed through the Florida
Department of Transportation (FDOT) via the Local Area Project (LAP) agreement.
The ongoing maintenance costs for hardware, software, user licenses, technical support, and incidental
component replacements for a period of three years are expected to have an incremental impact on the
operating budget levels of $30,000 annually.
GROWTH MANAGEMENT IMPACT: This recommendation is consistent with the County’s Growth
Management objectives and produces no negative impact.
LEGAL CONSIDERATIONS: This item has been reviewed by the County Attorney, is approved as to
form and legality, and requires majority vote for Board approval. -JAK
RECOMMENDATION: Recommendation to approve a Local Area Program (LAP) Agreement with
the Florida Department of Transportation (FDOT) to receive up to $1,108,409 in federal funding to
update and standardize the Intelligent Transportation System (ITS) network communication between
local agencies (Collier County and City of Naples) and the Florida Department of Transportation
(FDOT); to authorize the purchase of Network equipment, requisite accessories, licensing, maintenance
and technical support, listed in the LAP Agreement; to execute a Resolution memorializing the Board's
action and authorize all necessary budget amendments. (Project No. FPN 435013-1-98-01)
Prepared by Pierre-Marie Beauvoir, Signal Systems Network Specialist, Transportation Engineering
Division, Growth Management Department
16.A.12
Packet Pg. 348
03/24/2020
ATTACHMENT(S)
1. (Linked) 435013-1 Regional ITS Review_Final Report (PDF)
2. 435013-1 Draft LAP Agreement 3.17.20 (PDF)
3. 435013-1 Collier Traffic Overview of Proposed Solution (PDF)
4. (Linked) 435013-1 Proprietary Product Certification - Approved (PDF)
16.A.12
Packet Pg. 349
03/24/2020
COLLIER COUNTY
Board of County Commissioners
Item Number: 16.A.12
Doc ID: 11173
Item Summary: Recommendation to approve a Local Area Program (LAP) Agreement with the
Florida Department of Transportation (FDOT) where, Collier County would receive reimbursement up to
$1,108,409 to update and standardize the Intelligent Transportation System (ITS) network communication
between local agencies (Collier County and City of Naples) and the Florida Department of Transporta tion
(FDOT); to authorize the purchase of network equipment, requisite accessories, licensing, maintenance
and technical support, listed in the LAP Agreement; to execute a Resolution memorializing the Board's
action and authorize all necessary budget amendments. (Project No. FPN 435013-1-98-01)
Meeting Date: 03/24/2020
Prepared by:
Title: Signal Systems Network Specialist – Transportation Engineering
Name: Pierre Beauvoir
12/19/2019 3:58 PM
Submitted by:
Title: Division Director - Transportation Eng – Transportation Engineering
Name: Jay Ahmad
12/19/2019 3:58 PM
Approved By:
Review:
Office of Management and Budget Debra Windsor Level 3 OMB Gatekeeper Review Completed 01/22/2020 2:55 PM
Transportation Engineering Jay Ahmad Additional Reviewer Completed 12/20/2019 9:19 AM
Growth Management Department Christine Arnold Level 1 Reviewer Completed 12/20/2019 11:00 AM
Procurement Services Sandra Herrera Additional Reviewer Completed 12/27/2019 8:24 AM
Capital Project Planning, Impact Fees, and Program Management Rookmin Nauth Additional Reviewer Completed 12/30/2019 10:03 AM
Growth Management Operations Support Christopher Johnson Additional Reviewer Completed 01/02/2020 7:31 AM
Growth Management Department Gene Shue Additional Reviewer Completed 01/02/2020 8:59 AM
Growth Management Department Anthony Khawaja Additional Reviewer Completed 01/02/2020 11:59 AM
Growth Management Department Pierre Beauvoir Deputy Department Head Review Skipped 01/02/2020 12:03 PM
County Attorney's Office Jeffrey A. Klatzkow Level 2 Attorney Review Completed 01/02/2020 1:24 PM
Growth Management Department Thaddeus Cohen Department Head Review Completed 01/10/2020 11:55 AM
Grants Erica Robinson Level 2 Grants Review Completed 01/10/2020 3:41 PM
Grants Carrie Kurutz Additional Reviewer Completed 03/02/2020 3:34 PM
Procurement Services Pierre Beauvoir Level 1 Purchasing Gatekeeper Skipped 01/06/2020 11:25 AM
16.A.12
Packet Pg. 350
03/24/2020
County Attorney's Office Jeffrey A. Klatzkow Level 3 County Attorney's Office Review Completed 01/15/2020 11:27 AM
Office of Management and Budget Susan Usher Additional Reviewer Completed 03/03/2020 10:57 AM
Office of Management and Budget Laura Zautcke Additional Reviewer Completed 03/09/2020 4:26 PM
Grants Therese Stanley Additional Reviewer Completed 03/18/2020 9:16 AM
County Manager's Office Sean Callahan Level 4 County Manager Review Completed 03/18/2020 9:29 AM
Board of County Commissioners MaryJo Brock Meeting Pending 03/24/2020 9:00 AM
16.A.12
Packet Pg. 351
REGIONAL ITS NETWORK REVIEW
FDOT DISTRICT ONE / COLLIER COUNTY /
CITY OF NAPLES
June 14, 2019 | Version 3.0
Recommendations Report
Regional ITS Network Review | Recommendations Report
Document Panel Control
File Name: Regional ITS Network Review Final Report.docx
File Location: Metric Technology Group - Documents\Projects\4.2330_D1 Traffic Operations & ITS\TWO 12_Collier & Naples Network Upgrade\3. Project Documents\Document
Version Number: 3.0
Name (Firm/Organization) Date
Created By: Scott Agans (Metric Engineering, Inc.) 02/20/2019
Abram Little (Metric Engineering, Inc.) 02/20/2019
Reviewed By: Demetrius Lewis (Metric Engineering, Inc.) 02/25/2019
Richard Phillips (Metric Engineering, Inc.) 02/26/2019
Pierre Beauvoir (Collier County) 03/08/2019
Mark Roberts (HNTB / FDOT District One Consultant) 03/18/2019
Shawna Slate (Metric Engineering, Inc.) 03/19/2019
Corrine DiSanto (Metric Engineering, Inc.) 03/19/2019
Demetrius Lewis (Metric Engineering, Inc.) 03/21/2019
Richard Phillips (Metric Engineering, Inc.) 03/27/2019
Demetrius Lewis (Metric Engineering, Inc.) 03/28/2019
FDOT District One and FDOT District One Consultants 04/24/2019
Pierre Beauvoir (Collier County) 05/05/2019
Craig Carnes (Metric Engineering, Inc.) 06/12/2019
Modified By: Scott Agans (Metric Engineering, Inc.) 02/27/2019
Abram Little (Metric Engineering, Inc.) 03/25/2019
Scott Agans (Metric Engineering, Inc.) 03/28/2019
Scott Agans (Metric Engineering, Inc.) 05/15/2019
Scott Agans (Metric Engineering, Inc.) 06/10/2019
Scott Agans (Metric Engineering, Inc.) 06/13/2019
Completed By: Scott Agans (Metric Engineering, Inc) 06/13/2019
Regional ITS Network Review | Recommendations Report
i
Table of Contents
Table of Contents ........................................................................................................................................... i
List of Figures ............................................................................................................................................... iii
List of Tables ............................................................................................................................................... iii
List of Acronyms ........................................................................................................................................... iv
1. Introduction ............................................................................................................................................... 1
1.1 Task Overview ............................................................................................................................... 1
1.1.1 Document Overview .................................................................................................................. 1
2. Project Stakeholder Discussions ............................................................................................................... 3
2.1 Coordination Efforts ....................................................................................................................... 3
2.2 Stakeholder Identification .............................................................................................................. 3
2.2.1 Florida Department of Transportation District One .................................................................... 3
2.2.2 Collier County ............................................................................................................................ 4
2.2.3 City of Naples ............................................................................................................................ 5
3. Network Architecture Design ..................................................................................................................... 7
3.1 Existing Network Assessment ....................................................................................................... 7
3.1.1 Florida Department of Transportation District One .................................................................... 7
3.1.2 Collier County ............................................................................................................................ 9
3.1.3 City of Naples .......................................................................................................................... 12
3.2 Proposed Network Improvements ............................................................................................... 18
3.2.1 Florida Department of Transportation District One .................................................................. 18
3.2.2 Collier County .......................................................................................................................... 19
3.2.3 City of Naples .......................................................................................................................... 23
3.2.4 Proposed Network Improvements............................................................................................ 25
4. Proposed Regional Network Strategies ................................................................................................... 29
4.1 Proposed Network Architecture Design ....................................................................................... 29
4.1.1 Proposed Internet Protocol (IP) Schematic .............................................................................. 30
4.1.2 Data and Multicast Sharing Between Agencies ....................................................................... 31
5. Standardization of ITS Communications Equipment ................................................................................ 33
5.1 Agency Network Requirements ................................................................................................... 33
5.2 Field Network Devices Standardization ....................................................................................... 33
5.3 Physical Redundancy - Master Hub and TMC ............................................................................. 34
5.3.1 FDOT District One RTMC – SWIFT SunGuide® Center .......................................................... 34
5.3.2 Collier County ESC and TMC .................................................................................................. 34
5.3.3 City of Naples TMC.................................................................................................................. 34
6. User Access and Authentication .............................................................................................................. 35
Regional ITS Network Review | Recommendations Report
ii
6.1 FDOT District One ....................................................................................................................... 35
6.2 Collier County .............................................................................................................................. 36
6.3 City of Naples .............................................................................................................................. 36
6.4 Recommendations ....................................................................................................................... 36
7. Network Implementation Budgetary Estimate .......................................................................................... 38
Appendix A - Regional Partner Network Topologies ............................................................................. A-1
Appendix B - Regional Partner IP Address Schema ............................................................................. B-1
Appendix C - Summary of Recommendations ...................................................................................... C-1
Regional ITS Network Review | Recommendations Report
iii
List of Figures
Figure 3-1: FDOT District One Existing Network and Communications Logical Diagram .............................. 8
Figure 3-2: Collier County Existing Network and Communications Logical Diagram ................................... 10
Figure 3-3: City of Naples Existing Network and Communications Logical Diagram ................................... 12
Figure 3-4: Collier County Proposed Network and Communications Logical Diagram ................................ 21
Figure 3-5: City of Naples Proposed Network and Communications Logical Diagram ................................ 23
Figure 4-1: Proposed Regional Network Architecture Diagram ................................................................... 29
List of Tables
Table 2-1: FDOT District One Project Stakeholders and User Classes ......................................................... 4
Table 2-2: Collier County Project Stakeholders and User Classes ................................................................ 5
Table 2-3: City of Naples Project Stakeholders and User Classes ................................................................ 5
Table 3-1: Discovered Areas of Concern ..................................................................................................... 14
Table 3-2: Proposed Network Improvement Items ....................................................................................... 25
Table 6-1: Recommended Strategies for User Access and Authentication ................................................. 36
Table 7-1: Engineers Cost Estimate ............................................................................................................ 39
Table C-1: Summary of Recommendations ............................................................................................... C-1
Regional ITS Network Review | Recommendations Report
iv
List of Acronyms
ACLs ................................................................................................................................ Access Control Lists
APL ............................................................................................................................. Approved Products List
ATMS.................................................................................................. Advanced Traffic Management System
CCTV ........................................................................................................................ Closed Circuit Television
CLI ............................................................................................................................ Command Line Interface
CV ..................................................................................................................................... Connected Vehicle
DAC ................................................................................................................... Discretionary Access Control
EIGRP ....................................................................................... Enhanced Interior Gateway Routing Protocol
EOL ................................................................................................................................................ End of Life
ESC ....................................................................................................................... Emergency Service Center
FDOT ..................................................................................................... Florida Department of Transportation
FHWA ............................................................................................................ Federal Highway Administration
IEEE ...................................................................................... Institute of Electrical and Electronics Engineers
IGMP .................................................................................................... Internet Group Management Protocol
IGRP ........................................................................................................... Interior Gateway Routing Protocol
IP ........................................................................................................................................... Internet Protocol
IPSec ....................................................................................................................... Internet Protocol Security
ISP ............................................................................................................................ Internet Service Provider
ITS ............................................................................................................. Intelligent Transportation Systems
LAN................................................................................................................................... Local Area Network
LAP .............................................................................................................................. Local Agency Program
MAC.............................................................................................................................. Media Access Control
MHUB ............................................................................................................................................ Master Hub
MMU ................................................................................................................. Malfunction Management Unit
MSDP ..................................................................................................... Multicast Source Discovery Protocol
MSRP .................................................................................................... Manufacturer Suggested Retail Price
MSTP............................................................................................................ Multiple Spanning Tree Protocol
OSPF ........................................................................................................................ Open Shortest Path First
PIM ................................................................................................................. Protocol Independent Multicast
PIM-SM ..................................................................................... Protocol Independent Multicast-Sparse Mode
PIM-SM-DM ...................................................................Protocol Independent Multicast Sparse-Dense Mode
PVST+ ............................................................................................................ Per VLAN Spanning Tree Plus
RADIUS ...................................................................................... Remote Authentication Dial-In User Service
Rapid-PVST+......................................................................................... Rapid Per VLAN Spanning Tree Plus
RP ...................................................................................................................................... Rendezvous Point
RSTP ............................................................................................................... Rapid Spanning Tree Protocol
RTMC ....................................................................................... Regional Transportation Management Center
SAN .............................................................................................................................. Storage Area Network
SSH ............................................................................................................................................. Secure Shell
SSM ......................................................................................................................... Source Specific Multicast
STMC .................................................................................................... Satellite Traffic Management Center
Regional ITS Network Review | Recommendations Report
v
SWIFT ................................................................................ Southwest Interagency Facility for Transportation
TMC ...................................................................................................................... Traffic Management Center
TOR .............................................................................................................................................. Top of Rack
UPS ..................................................................................................................... Uninterrupted Power Supply
VLAN ..................................................................................................................... Virtual Local Area Network
VRRP...................................................................................................... Virtual Router Redundancy Protocol
WAN ................................................................................................................................. Wide Area Network
Regional ITS Network Review | Recommendations Report
1
1. Introduction
1.1 Task Overview
The Regional Intelligent Transportation Systems (ITS) Network Review is intended to review the existing ITS
and traffic signal regional network in Collier County (County) and the City of Naples (City) and provide a
recommended best practices approach to establishing a network connection to the Florida Department of
Transportation (FDOT) District One ITS Advanced Traffic Management System (ATMS) network for data and
video sharing purposes. This document will also serve as regional standards guidance for the staff who
currently manage and maintain their respective ITS and traffic signal networks, to support their current
operations. This document begins the initial stage in FDOT District One’s initiative to develop a regional ITS
and traffic signal network which will be used to disseminate traffic-related information as needed. Also, this
document is intended to provide recommended guidelines to allow each project stakeholder to integrate their
network resources and share video resources with other regional partners without conflict.
1.1.1 Document Overview
This document identifies specific guidance from the Institute of Electrical and Electronics Engineers (IEEE)
Transactions on Professional Communication for Electronic and Information Technologies. This document
also provides an overview of the Regional ITS Network Review task and key principles which guided the
project discovery and assessment activities which included an overview of the project, the stakeholders,
guiding principles, and referenced materials. This Regional ITS Network Review document, contains detailed
descriptions of network components discovered, an assessment of each item, recommendations for updating
those items and proposed replacement tools and equipment to deliver new capabilities that offer an
improvement over the current operational state. As a function of the ITS Continuing Services Consultant
Contract, Metric Engineering was requested to evaluate the existing ITS network located within FDOT District
One, the County, and the City. The network peer review was requested to assist the County and City with
developing a network strategy to provide a reliable, scalable, and redundant regional ITS network. This task
includes providing recommendations for upgrading the County and City’s network hardware which is to be
completed under an upcoming Local Agency Program (LAP) project. Recommendations will also include a
regional network architecture and configurations to establish network continuity for data and video sharing
capabilities. In addition, this document will also provide guidance for the required IP address migrations
mandated by FDOT Central Office to ensure all districts and regional partners are in compliance with the
Statewide IP addressing scheme.
The Regional ITS Network Review document, will illustrate a current state of the ITS network, security posture
and communications equipment, documenting the items discovered and provides an assessment with
associated strategies and recommendations for future deployments. The document also identifies FDOT
Regional ITS Network Review | Recommendations Report
2
District One’s, Collier County, and City of Naples stakeholders’ user classes, identified system capabilities,
and the existing network conditions of the system in ITS functional groups for establishing requirements.
Regional ITS Network Review | Recommendations Report
3
2. Project Stakeholder Discussions
2.1 Coordination Efforts
Metric Engineering was responsible for all coordination efforts for this task including scheduling meetings
with all stakeholders for project related tasks. A kick-off meeting was held to serve as an introduction of staff
of all stakeholders and Consultants and to provide all parties with an understating of the Scope of Services,
progress meetings, project schedule, and important milestones. All subsequent meetings were coordinated
by Metric Engineering through the FDOT District One project manager and the project stakeholders.
2.2 Stakeholder Identification
The term project stakeholders refers to any individual or group affected by the activities of the ITS network
assessment task. They may have a direct or indirect interest in the assessment, and their levels of
participation may vary. Stakeholders include internal organizations, external agencies, or end users with a
vested interest, or a "stake" in one or more aspect of the network. The stakeholders identified for this project
includes FDOT District One, Collier County, and the City of Naples. User Classes are classified based on
their perception of the system and the needs identified. Note that some key personnel may serve in multiple
roles based on user needs and functions.
2.2.1 Florida Department of Transportation District One
With a land area of nearly 12,000 square miles, FDOT District One represents twelve (12) counties in
Southwestern Florida. Its 2.7 million residents contribute to the 42 million miles traveled daily on its state
highways. FDOT District One provides capital grant funds to twenty-one (21) public airports, including three
(3) international airports.1
1https://www.fdot.gov/agencyresources/districts/index.shtm
Regional ITS Network Review | Recommendations Report
4
Table 2 -1 : FDOT District One Project Stakeholders and User Classes
FDOT District One Stakeholders
User Classes Technology Operations TSM&O Operations Traffic Operations Security Network Infrastructure Administration Mark Mathes, P.E.
TSM&O Project Engineer
Kat Chinault, CPM
TSM&O Project Manager
Mark Roberts
Consultant Project Manager
Tim Smith
Project Manager
Michael Braun
RTMC IT Manager
Carlos Gomez
ITS Technician II
Robbie Brown
RTMC /Freeway Operations
2.2.2 Collier County
The focus of Collier County’s Transportation Engineering Division is to maintain safe traffic operations on
their roads, implement capital improvements for the transportation network and to acquire needed property
for capital programs. The Collier County Transportation Engineering staff works in project management
teams that are made up of well-trained, highly motivated professionals who uphold the efficient use of public
funds as their highest priority.2
2 https://www.colliercountyfl.gov/your-government/divisions-s-z/transportation-engineering-division
Regional ITS Network Review | Recommendations Report
5
Table 2 -2 : Collier County Project Stakeholders and User Classes
Collier County Stakeholders
User Classes Technology Operations Traffic Operations Software Development Security Network Infrastructure Administration Anthony Khawaja, P.E.
Chief Engineer of Traffic Operations
Pierre Beauvoir
Sr. Project Manager/ Signal Systems
Network Specialist
Haris Domond
Engineering Technician
2.2.3 City of Naples
The City of Naples operates and maintains forty-two (42) traffic signals within the city limits.3 In addition to
maintaining traffic signals, the City also performed in-house traffic designs, roadway lighting on arterial
roadways, roadway signing, and markings, and operates a TMC to monitor real-time traffic congestion and
mitigation.
Table 2 -3 : City of Naples Project Stakeholders and User Classes
City of Naples Stakeholders
User Classes Technology Operations Traffic Operations Software Development Security Network Infrastructure Administration Alison Bickett, P.E
Traffic Engineer, Streets &
Stormwater
3https://www.naplesgov.com/streetsstormwater/page/streets-traffic
Regional ITS Network Review | Recommendations Report
6
City of Naples Stakeholders
User Classes Technology Operations Traffic Operations Software Development Security Network Infrastructure Administration Dave Rivera
Streets & Traffic Supervisor
Haroll Fernandez
Engineering Technician
Regional ITS Network Review | Recommendations Report
7
3. Network Architecture Design
3.1 Existing Network Assessment
To obtain a comprehensive understanding of each agency’s respective network, the network and
infrastructure documentation was provided and reviewed by each stakeholder. The documentation provided
included network topology diagrams, fiber optic infrastructure, splicing diagrams, and network equipment
configurations. Based on the review, areas of improvement within each of the agency’s respective networks
were identified. Some improvements may only require reconfiguring existing hardware, while others may
require the replacement of equipment and updating configurations.
In some cases, gaps within the network documentation were identified, and Metric Engineering either
requested additional information from the agency or made educated assumptions based on the data
provided. All data collected from each agency is represented within the existing topology diagrams of this
document.
3.1.1 Florida Department of Transportation District One
FDOT District One has two (2) TMCs, the first is the Southwest Interagency for Transportation (SWIFT)
SunGuide® Center in Fort Myers, Florida and the second is the Satellite Traffic Management Center (STMC)
in Bradenton, Florida. There are one hundred seventy-eight (178) miles of roadway along Interstate 75 (I-75)
with ninety-six (96) dedicated strands of fiber and four (4) network distribution hubs on the northbound side
of I-75 which connect the two (2) data centers, along with many field switches and devices that are used to
monitor the interstate. FDOT District One is seeking to establish network communications between each
agency for data and video sharing, as there are currently no existing network connections between the
stakeholders.
3.1.1.1 Network Architecture Topology
FDOT District One’s current network topology consists of a linear ring network topology. The major benefits
to the deployment of this topology are that it will allow FDOT District One to design and connect the County
and City’s’ to be interconnected with each other without changing the existing network topologies. If one of
the devices fail, the network traffic would be seamlessly routed back to the nearest router without a noticeable
impact to the end user. To mitigate any network flooding or broadcast storms, the routers have been
configured to use Rapid Spanning Tree Protocol (RSTP) which is a network loop prevention protocol. Since
all the data flows in a single direction, the data transfer between devices can occur at higher speeds to further
increase network performance.
Regional ITS Network Review | Recommendations Report
8
Figure 3 -1 : FDOT District One Existing Network and Communications Logical Diagram
3.1.1.2 Layer 2 (Data Link) and VLANs
FDOT District One has implemented Virtual Local Area Network (VLAN) segments on both their core routers
and ITS field switches. A VLAN can be described as a set of physical or logical ports within the same
broadcast domain which can span numerous devices. By having a logical separation from other specific data,
this will logically segment the network, so data is not transmitted to unnecessary devices or users. FDOT
District One has chosen to deploy VLANs to increase data security and make the overall network simpler to
manage. In addition to the deployment of VLANs, FDOT District One has deployed Per VLAN Spanning Tree
Plus (PVST+). PVST+ is based upon the IEEE standard with Cisco proprietary extensions and is utilized on
each specific VLAN to enable a loop-free transmission of network data.
3.1.1.3 Layer 3 (Network) Routing Protocols
The FDOT District One network transmits ITS video images to their SWIFT SunGuide® Center, STMC, and
to other local agencies. To ensure these images are routed from the field Closed Circuit Television (CCTV)
cameras to their destination, the network can be capable of multicast routing. FDOT District One has chosen
to utilize the Protocol Independent Multicast-Sparse Mode (PIM-SM) routing solution for distributing multicast
traffic. PIM-SM is the preferred method of multicast routing which allows the multicast streams to dynamically
discover active multicast sources outside of the native network domain. To share the video with the
stakeholders, FDOT District One is also using Multicast Source Discovery Protocol (MSDP) which allows
each multicast domain to advertise their multicast sources within the multicast group to the local Rendezvous
Point (RP). The RP can replicate and route the multicast videos to the requested user either in or out of the
multicast domain.
Regional ITS Network Review | Recommendations Report
9
3.1.1.4 Network Security
Currently, FDOT District One does not deploy network security items to protect their network from the
proposed shareholder connections. After discussing network security practices with the FDOT District One
network staff, additional network security recommendations were provided which are included within this
document.
3.1.2 Collier County
3.1.2.1 Network Architecture Topology
The Collier County network architecture is defined as a modified star network topology where all the data
must be passed through a central device before being routed to its destination. If a failure of a single ITS
switch occurs, it will not negatively impact the remaining devices in-line. In the event of a network device
malfunction, the time to troubleshoot the device may be reduced due to the singular connection to the central
device. However, the network impact would be more severe. The primary disadvantage of this modified star
network topology is if the primary device at the TMC were to fail, the entire network would fail as well.
In addition to a review of the network topologies, an in-depth review of the network configurations occurred.
Based on the information provided, the existing network configurations identified each Master Hub (MHUB)
location as unique and composed of multiple network segments. Each network segment did not possess a
diverse and redundant network path in case of an equipment or fiber failure. All Layer 3 routing for the entire
network was relied upon by the single core router located at the TMC.
One network concern identified was the different types of Layer 2 field switches deployed in the field cabinets.
The Layer 2 rings are comprised of both Cisco 2955 and RuggedCom RS900G switches which is a concern
because the different types of switch manufacturers can potentially have interoperability issues and the
County could have possible maintenance issues by having to stock replacement equipment from two different
manufacturers. Furthermore, the existing Cisco ME3400E switches that were also identified do not support
MSDP and are currently End of Life (EOL). This is an issue because the County would be unable to transmit
or receive their regional agency partner video streams.
Additionally, each MHUB was found not to have a redundant connection from the TMC core network which
is the location where all routing is taking place. Another item also identified was that MHUB3 was found to
have two (2) Cisco ME3400E switches which supply local hub switch rings and two (2) spurs to additional
MHUB locations which had one link to MHUB4 and the other to MHUB5. This is a concern because this
causes a single point of failure in the network and can potentially have the ability to affect network
communications to downstream MHUB locations. This single point of failure could be caused from a loss of
power as each MHUB location is not equipped with an Uninterrupted Power Supply (UPS) device.
Regional ITS Network Review | Recommendations Report
10
Additionally, it was also discovered that numerous core networking equipment are performing unnecessary
switching and routing. The core network in the TMC has two (2) Cisco ME3400E switches, one (1) Cisco
C3560 switch, one (1) Cisco C2950 switch, one (1) HP 2530-24G switch, one (1) RuggedCom RS900G
switch and one (1) Cisco ASA 5506 firewall.
Figure 3 -2 : Collier County Existing Network and Communications Logical Diagram
3.1.2.2 Layer 2 (Data Link) and VLANs
During the investigation phase of the Collier County network, there were no network conventions identified
between the MUHBs. Each MHUB router location had all VLANs configured to transmit them out of each
tagged/optical port which means every VLAN is forwarding ethernet data to each Layer 2 field switch. The
majority of fiber ports on the Layer 2 field switches are tagged with all VLANs whether they are used or not
which causes increased network congestion.
Collier County has also used VLANs to segment network functions. The differentiation between FDOT District
One and Collier County is that Collier County has elected to utilize Rapid Per VLAN Spanning Tree (Rapid-
PVST+). This spanning-tree mode is the same as PVST+ except that it uses a rapid convergence based on
the IEEE 802.1w standard. Due to the existing daisy-chained architecture between each master, there is a
chance a network loop can occur also referred to as a broadcast storm. This occurs when there is more than
one Layer 2 connection/path between two endpoints. To prevent these broadcast loops, the use of a Layer
2 loop prevention protocol such as Rapid-PVST+ which allows the user to create a single spanning tree
topology for each VLAN is suggested. To provide rapid convergence, the Rapid-PVST+ immediately deletes
Regional ITS Network Review | Recommendations Report
11
dynamically learned Media Access Control (MAC) address entries on a per-port basis upon receiving a
topology change.4
3.1.2.3 Layer 3 (Network) Routing Protocols
After reviewing the County’s network configuration files, specific routing protocols were identified and used
by Collier County. All of the routing for all of the ITS field devices occurs at the Collier County TMC router.
Besides the single routing location, the County utilizes static routes to direct traffic to specific external
networks which are then routed through their existing firewall. Static routing is an ideal method for smaller
networks (due to the ease of deployment) and for networks which do not have numerous topology changes
or a high rate of projected growth. However, as the network grows, it will be increasingly difficult to manage
the many route changes within the network router(s) which must be updated manually by the network
administrator. Additionally, the County utilizes Enhanced Interior Gateway Routing Protocol (EIGRP) to route
between the ITS networks dynamically. EIGRP is a dynamic routing protocol that updates route changes in
the network automatically. The convergence properties and the operating efficiency of this protocol have
improved significantly allowing for an improved architecture while retaining existing investment in IGRP.5
3.1.2.4 Network Security
The County has previously installed a firewall to allow access to their network remotely through a Virtual
Private Network (VPN) connection. A firewall is a network security appliance which serves as the first line of
defense against potential cyber or internal network attacks and is designed to prevent, both internal and
external, unauthorized systems and users from accessing network resources within a private local area
network. By using the firewall for VPN connections, authorized County staff are able to establish an encrypted
communications tunnel between their local computer and their remote Collier County device without worry of
their data streams being compromised. This VPN connection aids the County network administration staff to
connect to the ITS network for remote access, network troubleshooting, and the ability to access the network
from just an internet connection from around the world if needed.
According to the County personnel, the Apollo Metro Street Light Solution provides the County with a service
for the street lights and is directly connected to the Collier County network by an outside internet connection.
The Apollo Metro Solutions Street Light Luminaire with integrated Wireless Controller is capable of providing
an alert as to why the streetlight has burnt out; be it electrical error or due to age.6 The operator can also see
how many hours the bulb has been out and can then better plan the shift of the bulb.7 This router is not
4 https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/lanswitch/16-6-1/b-lanswitch-xe-16-6-1-
asr920/configure-pvst-rpvst.pdf
5 https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/13669-1.html#intro
6 http://bulldogenergy.org/2016/10/collier-county-continues-installation-of-apollo-metro-solutions-smart-led-street-lights/
7 https://www.telenor.com/telenor-helps-cut-cost-of-lighting-oslos-streets/
Regional ITS Network Review | Recommendations Report
12
managed by Collier County, but by an outside vendor via an external internet connection. A Cisco ISR4321
router was found attached to the TMC core which supplies a secure tunnel for the Apollo Street Light System.
Lastly, it was also identified that the County does not utilize a central method for providing users access to
field equipment. Moreover, it was discovered Collier County still utilizes some default username and
passwords on their network devices. Using default equipment usernames and passwords is a network
security concern because an unauthorized user can gain access by a simple internet search.
3.1.3 City of Naples
3.1.3.1 Network Architecture Topology
The City’s architecture is configured as a ring topology in which there are two (2) Layer 3 routers connected
to field Layer 2 field switches, which are located at the City’s TMC. The field switch is connected in a daisy-
chained fashion and uses the Layer 3 routers as their gateway. Also, most of the ITS field rings terminate
on both sides of the ring on a single router. For Layer 3, the City uses Cisco ME3400G, which are now EOL
and ITS Express 8012-24+ for Layer 2 field switches. By not having a Layer 3 router which is currently
available for purchase, the City will not have access to manufacturer upgraded firmware features (i.e.,
security and software patches) and hardware support in the event of a failure. No replacement router will be
available for purchase.
Finally, it was discovered many of the network devices were not equipped with a redundant power source
at all locations.
Figure 3-3: City of Naples Existing Network and Communications Logical Diagram
Regional ITS Network Review | Recommendations Report
13
3.1.3.2 Layer 2 (Data Link) and VLANs
The City, like FDOT District One and Collier County, also uses VLANs for network segmentation. Similar to
Collier County, the City of Naples has chosen to utilize Rapid-PVST+ for their network. The City has elected
to transmit (or tag) only the required VLANs to be accessed at the Layer 2 location. Also, only a single VLAN
is used and no specific management VLAN has been established for switch and CCTV/Video transmission.
3.1.3.3 Layer 3 (Network) Routing Protocols
The City provided network documentation regarding the current condition of their ITS network. After a review
of the City of Naples’ network documentation, it was determined that the City uses static routes to transmit
their network traffic between specific networks. To route the roadside multicast video images throughout the
network, the City uses Protocol Independent Multicast Sparse-Dense Mode (PIM-SM-DM) as their multicast
routing protocol. This is a very common method used to route multicast streams throughout a network. In
addition to the use of multicast video transmission, the City has also elected to utilize the TMC location for
all of their routings to occur. To provide network redundancy between the core switches, the City has elected
to use the Virtual Router Redundancy Protocol (VRRP). The VRRP redundancy protocol eliminates the single
point of failure inherent in the static default routed environment. VRRP specifies an election protocol that
dynamically assigns responsibility for a virtual router (a VPN 3000 Series Concentrator cluster) to one of the
VPN Concentrators on a Local Area Network (LAN). The VRRP VPN Concentrator that controls the IP
address(es) associated with a virtual router is called the Master and forwards packets sent to those IP
addresses. When the Master becomes unavailable, a backup VPN Concentrator takes the place of the
Master.8
Another item which was discovered is that there is no network demarcation point established for the routed
connection from Collier County.
3.1.3.4 Network Security
Without an added level of network security, the City of Naples TMC can potentially have a loss of
communications to the field devices which can hinder the dissemination of traveler information to the
motorists. The City currently has an existing firewall installed at the TMC and is able to protect itself from
external internet threats. It was discovered the City of Naples Police Department has a direct connection to
the City of Naples network and no demarcation point was established for the routed connection from the
Police Department. Another identified network security item was the City of Naples still utilizes default
8 https://www.cisco.com/c/en/us/support/docs/security/vpn-3000-series-concentrators/7210-vrrp.html
Regional ITS Network Review | Recommendations Report
14
usernames and passwords. Using default equipment usernames and passwords is a network security
concern because an unauthorized user can gain access by a simple internet search.
Lastly, it was also identified that the City does not utilize a central method for providing users access to field
equipment.
Table 3 -1 : Discovered Areas of Concern
The table below identified areas of concern when performing an audit of the stakeholder networks in an
overall tabular format.
Section
ID Discovered Concerns Agency
3.1.1.4
No network security items are proposed for
Regional Partner external connections.
Cyber threats can be either
transmitted from or to the project
stakeholders.
FDOT District
One
3.1.2.1
The Layer 2 field rings are comprised of
multiple switch vendors such as Cisco 2955
and RuggedCom RS900G switches.
In some cases, various vendors
implement Layer 2 protocols
differently, which causes
compatibility issues between the
switches and cause network
disruptions.
Collier County
3.1.2.1
Numerous core networking equipment are
performing unnecessary switching and routing.
The core network in the TMC has two (2) Cisco
ME3400E switches, one (1) Cisco C3560
switch, one (1) Cisco C2950 switch, one (1) HP
2530-24G switch, one (1) RuggedCom
RS900G switch and one (1) Cisco ASA 5506
firewall.
Due to the amount of TMC
equipment that can switch or route,
additional network latency can be
caused including communication
failure due to equipment
malfunction.
Collier County
3.1.2.1
Each MHUB was found to be a non-redundant
Layer 2 connection from the TMC core network
with all routing taking place at the TMC.
If a MHUB were to fail, it would
potentially hinder ITS
communications to all downstream
MHUBs causing an unwanted
network outage.
Collier County
Regional ITS Network Review | Recommendations Report
15
Section
ID Discovered Concerns Agency
3.1.2.1
MHUB3 was found to have two (2) Cisco
ME3400E switches which supplies local HUB
switch rings and two (2) non-redundant
connections to additional hubs. One link to
MHUB4 and one link to MHUB5.
By having two (2) switches and
non-redundant connection at the
core routers, this equipment
configuration can cause a single
point of failure and potential
network failure, due to all routing
occurs at the TMC location.
Collier County
3.1.2.1 The ITS network includes Cisco ME3400E
switches at the core and MHUB levels which
are EOL
Due to the switches being the end
of life, if either experienced a
hardware failure, the County will
not receive support or a
replacement switch
Collier County
3.1.2.1 No network redundancy was identified between
MHUB 5 and the TMC.
If a fiber optic cable cut would
occur, no redundant optical path is
available to reroute within the
network
Collier County
3.1.2.1 No current method of video routing was
identified in the County core configurations.
Collier County would not be able to
send or receive any partner video
streams.
Collier County
3.1.2.4 No current user authorization or authentication
is deployed.
No centralized method to provide
user credentials and access to the
device.
Collier County
3.1.2.4
A router was found attached to the TMC core
which supplies a secure tunnel for Apollo Street
Light System.
The Apollo router is managed and
accessed by the vendor. An
external internet connection is
managed by a third party and
Collier County does not have
access to Apollo router causing a
network security concern.
Collier County
3.1.2.4 Collier County also utilizes default user
accounts for a number of ITS devices.
Using default equipment
usernames and passwords is a
network security concern because
an unauthorized user can gain
access by a simple internet search
Collier County
Regional ITS Network Review | Recommendations Report
16
Section
ID Discovered Concerns Agency
3.1.3.1
ITS network is comprised of two (2) core Layer
3 Cisco ME3400G switches located at City of
Naples’ TMC.
By having two (2) switches and
non-redundant connection at the
core routers, this equipment
configuration can cause a single
point of failure and potential
network failure, due to all routing
occurs at the TMC location.
City of Naples
3.1.3.1
Most of the ITS field rings terminate both sides
of the ring on one of the ME3400Gs.
Since each ITS terminates on a
single ME3400G, if one router
would fail, Ethernet
communications would be halted.
City of Naples
3.1.3.1 Network Equipment Concern – Current Cisco
ME3400Gs are EOL.
Due to the switches being at the
end of life, if either experienced a
hardware failure, the City of Naples
will not receive support or a
replacement switch.
City of Naples
3.1.3.1 Network devices do not have a redundant
power source at all locations.
Loss of power will result in a loss of
ITS network device communication. City of Naples
3.1.3.3 No network demarcation point was established
for the routed connection from Collier County.
By having a network demarcation
point, it will allow the City of Naples
to mitigate or disconnect from
Collier County if a broadcast storm
was detected.
City of Naples
3.1.3.4 No network demarcation point was established
for the routed connection from the City of
Naples Police Department.
By having a network demarcation
point, it will allow the City of Naples
to mitigate or disconnect from the
police department if a broadcast
storm was detected.
City of Naples
3.1.3.4 City of Naples also utilizes default user
accounts for a number of ITS devices.
Using default equipment
usernames and passwords is a
network security concern because
an unauthorized user can gain
access by a simple internet search
City of Naples
Regional ITS Network Review | Recommendations Report
17
Section
ID Discovered Concerns Agency
3.1.3.4 No current user authorization or authentication
is deployed.
No centralized method to provide
user credentials and access to the
device. City of Naples
Regional ITS Network Review | Recommendations Report
18
3.2 Proposed Network Improvements
To support the Federal Highway Administration (FHWA) Open Bid Policy, all recommendations were
developed from a vendor agnostic perspective. Only brand names were identified to obtain a Manufacturer
Suggested Retail Price (MSRP) for budgetary purposes.
3.2.1 Florida Department of Transportation District One
3.2.1.1 Network Architecture Topology
FDOT District One recently completed an upgrade of their network equipment at the core and MHUB
locations. The only topology change for FDOT District One will include adding a connection to both the County
and the City at the MHUB near the Alligator Alley Toll Plaza and the FDOT District One SWIFT SunGuide®
Center. A single one (1) gigabit (Gb) connection at this location will be installed to allow for video and data
sharing with the County and City.
3.2.1.2 Layer 2 (Data Link) and VLANs
No Layer 2 (Data Link) or VLAN improvements were identified.
3.2.1.3 Layer 3 (Network) Routing Protocols
No Layer 3 (Data Link) or routing protocol improvements were identified.
3.2.1.4 Network Security
FDOT District One currently utilizes an existing firewall and stated they would be migrating this existing
firewall from the SWIFT SunGuide® Center to the FDOT District One Headquarters building located in
Bartow, Florida. The primary function of the migrated firewall would allow the ITS network to deploy
secondary internet access to the ITS and traffic signal network. The migration would also allow the network
team to purchase a systemwide firewall to secure the existing stakeholder connections, which are currently
being secured by the use of Access Control Lists (ACLs) which deny all traffic unless a predefined rule or
policy exists. It is suggested to install another firewall appliance in-line with the proposed stakeholder
connection at the Alligator Alley Toll Plaza MHUB. The current firewall deployed at the SWIFT SunGuide®
Center does not support source specific multicast. Source Specific Multicast (SSM) is a datagram delivery
model that best supports one-to-many applications, also known as broadcast applications. SSM is a core
networking technology for the Cisco implementation of IP multicast solutions targeted for audio and video
Regional ITS Network Review | Recommendations Report
19
broadcast application environments.9 This will allow FDOT District One’s network security staff to protect the
FDOT District One network from unwanted cyber security issues. In addition, this firewall will also provide
network logical separation from the stakeholders’ existing network by effectively isolating all networks from
external threats. All network security equipment will be purchased, installed, and configured by FDOT District
One’s internal network engineering staff.
There is an importance for all of the network equipment be updated to the latest stable firmware which will
allow for all identified security vulnerabilities to be patched and no longer accessible.
3.2.2 Collier County
3.2.2.1 Network Architecture Topology
After a review of the County’s network documentation of the fiber optic infrastructure, network logical
diagrams and the network equipment configuration files, a few items were identified that can improve the
efficiency of the existing network and allow for easier daily maintenance for the County’s network
administrator. These recommendations will also facilitate the proposed data and video connection to FDOT
District One.
As part of the LAP agreement, it is recommended to replace each of the Cisco ME3400E switches with
updated switches. This will enable the County to receive hardware and software support from the vendor.
Also, the County requires a Layer 2 switch that can continue passing fiber optic traffic when the switch is
powered off. To meet this requirement, it is recommended to purchase and install Layer 2 switches capable
of optical bypass which will enable self-healing rings. There was also an outlining requirement to identify
equipment manufacturer warranties and support contracts to keep up with current firmware patches and
receive support in the event of an equipment failure. Finally, as requested by FDOT Central Office, there is
a need to change IP addresses to integrate with the existing FDOT Statewide ITS WAN network. Additional
funds were identified for the warranties and IP Address changes in Table 7-1, which is the Engineers Cost
Estimate.
To reduce the amount of network equipment to manage and maintain, the recommendation is to consolidate
the existing connections, which are currently connected to the TOR and applicable field rings on a proposed
aggregation switch to increase the existing port capacity and decrease switch processor overhead.
9 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/imc-pim-xe-3e/imc-ss-mc.pdf
Regional ITS Network Review | Recommendations Report
20
Another recommendation would be to utilize the core routers, which are capable of deploying MSDP for
multicast sharing. MSDP will be required to establish a multicast peering with the City and FDOT District
One.
In respect to the Layer 3 routing, it is recommended to establish redundant point-to-point connections
between each MHUB back to the TMC and Emergency Service Center (ESC) using a dynamic routing
protocol such as EIGRP or Open Shortest Path First (OSPF). This will also greatly reduce administration
overhead as it pertains to managing the network and reduce the potential of network outages due to
broadcast storms. If a network misconfiguration occurs in the field, creating a broadcast storm, the core
router’s performance will be negatively impacted and shift all routing to the MHUB locations to mitigate the
current single point of failure at the TMC for all routing. The proposed routers are capable of routing the field
networks from the MHUB locations to the TMC. The proposed routers will have a greater port density than
the existing Cisco ME3400Es, which allows for reducing the number of chassis needed as well as reducing
the annual warranty and support costs. By adding redundant MHUB point-to-point links, it increases system
resiliency to fiber cuts and equipment failure at the MHUB locations. A supplemental benefit of the proposed
deployment is the familiarity of the Command Line Interface (CLI) by the network staff and the ability for each
stakeholder to assist the other if additional assistance is needed. Lastly, it is suggested to replace the Cisco
ME3400Es as the last day of software maintenance releases will be October 3, 2019 and the End of Sale for
these units was October 3, 2018. In addition, the Cisco 2955 are also recommended for replacement because
the last date of all support services was on July 31, 2018.
An alternative proposal is to consolidate network connections at the MHUB locations. By consolidating the
connections, it would allow for future expansion using existing equipment if needed. The recommendation is
to consolidate connections at MHUB3 onto one (1) router, freeing up a pair of fiber to have a direct connection
from the TMC to MHUB5. It was also observed to build in additional optical redundancy into the network by
utilizing additional optical fiber along CR951 from MHUB5 to the ESC to provide a redundant routed path
from MHUB5 to the TMC by way of the ESC. A redundant optical connection would allow for the primary
connection to be lost and no impacts would be seen by the end users.
Another recommendation for the County is to establish a proposed connection to the remaining stakeholders
by implementing MSDP peering between FDOT District One, the City of Naples and Collier County for
multicast video sharing. This will ensure proper segmentation while providing full video service to and from
each agency.
The final recommendation is to upgrade the connection between the TMC and the EOC to ten (10) gigabit.
The increased bandwidth will allow the data replication of the Storage Area Network (SAN) between these
sites to be more efficient and will allow the replication of data between the primary and back-up locations to
take less time to complete.
Regional ITS Network Review | Recommendations Report
21
Figure 3 -4 : Collier County Proposed Network and Communications Logical Diagram
3.2.2.2 Layer 2 (Data Link) and VLANs
The recommendation is to install and configure the same type of Layer 2 field switches to be deployed in the
field cabinets. By deploying the higher port density switch at each cabinet location, it will reduce the
deployment times and the need to purchase additional Layer 2 switches for stand-by replacements. An
update of the existing VLAN structure is also proposed. Each switch and VLAN equipment configuration will
be consistent across the entire network and will only transmit the required VLAN network traffic which is
required at each ITS device location. It is also recommended that the City installs UPSs at the TMC and at
each MHUB location to ensure all networking equipment remains active during a power outage and can guard
against power surges and brown outs. This also provides “clean” power to the ITS network equipment if the
traffic signal was to be powered by an emergency generator.
3.2.2.3 Layer 3 (Network) Routing Protocols
The first Layer 3 recommendation would be for the County to create a point-to-point network connection to
FDOT District One and one to the City. Once the connection is established, it is recommended to implement
MSDP peering between FDOT District One and the City for multicast video sharing which will ensure proper
network segmentation while providing full video streaming between each agency. The second
recommendation would be to create a point-to-point routed connection between each MHUB router and the
proposed core to facilitate the dynamic routing between each router. Also, by moving their routed gateways
Regional ITS Network Review | Recommendations Report
22
to their respective MHUB locations, it will reduce the amount of network latency and also the core router
processor overhead.
3.2.2.4 Network Security
It is suggested to configure the proposed firewall appliance and install this device in-line with the new
stakeholder connections. The installation of the proposed firewall will allow the County network security staff
to protect the County network from unwanted cyber-attacks and other external threats from partner agencies
and also allow external access to their network securely if direct network access is not available. The external
access is not a traditional VPN connection but a secured internet connection also known as a secure tunnel.
To ensure external information is routed correctly the configuration of ACLs is recommended at the router
locations to designate which networks are allowed to access the remote agency network or be routed to the
firewall for existing verification. This proposed firewall will also provide network logical separation from the
stakeholders’ existing network by effectively isolating all networks from external threats. Finally, the County
should assume management of the Apollo machine to ensure all proper network security policies are
implemented and validated.
In addition to the installation of a new firewall, it is also recommended that the County installs a Remote
Authentication Dial-In User Service (RADIUS) server. RADIUS is a client/server protocol and software that
enables remote access servers to communicate with a central server to authenticate dial-in users and
authorize their access to the requested system or service. Ultimately, the server provides better security,
allowing an institution to set up a policy that can be applied from a single administered network point which
is easier to track usage for billing and for keeping network statistics.10
11
It is recommended that the County change the default user credentials on ITS and ATMS devices and
implements a solution to provide a centralized method to provide user credentials and access to the device.
One option is to use a RADIUS server which incorporates an authentic user group and access level to each
10 https://searchsecurity.techtarget.com/definition/RADIUS
11 https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/12433-32.html
Regional ITS Network Review | Recommendations Report
23
field device and to limit individuals who are trying to access the network without the appropriate credentials.
For instance, if a new traffic signal project would require network access, Collier County could create a unique
username and password for each technician. Once the project is completed, Collier County could then delete
the temporary users from a single location instead of having to reconfigure each network device to remove
the users. Not all devices are capable of communicating with a RADIUS server and in that case, another
method such as manual configurations or development of a script may be used. These security
recommendations include performing an extensive audit of devices and users which have access, or
potentially can access, the network remotely via the VPN connection.
3.2.3 City of Naples
3.2.3.1 Network Architecture Topology
As it relates to the network architecture, it is recommended that the City replaces the existing EOL Cisco
Catalyst 3400s and installs two (2) new up-to-date switches in a stacked configuration. Stacking the proposed
switches will allow for management of both switches as one logical switch while providing physical
redundancy for the ITS rings. Additionally, by upgrading the core switches at the TMC to newer models, the
City of Naples will have vendor hardware support and warranty which is needed to mitigate any firmware or
network connectivity issues. A key benefit of implementing a stack core configuration is that the existing ITS
device rings will diversely connect to the stack which will provide physical redundancy and help prevent a
potential loss of communications to the field devices if one of the field switches fail.
Figure 3 -5 : City of Naples Proposed Network and Communications Logical Diagram
3.2.3.2 Layer 2 (Data Link) and VLANs
The City currently uses ITS Express 8040 with optical bypass monitoring; however, the switches are no
longer under warranty. It is recommended to upgrade the existing switch to the latest model to ensure
Regional ITS Network Review | Recommendations Report
24
warranty and support for future issues. It is also recommended that the City installs UPS’s at the TMC location
to ensure all networking equipment remains active during a power outage and can guard against power
surges and brown outs. This also provides “clean” power to the ITS network equipment if the traffic signal
was to be powered by an emergency generator.
For the VLAN structure, the recommendation is to segment the multicast video from the legacy signal
equipment. By segmenting the video, this will allow for legacy traffic signal devices to be unaffected by the
multicast data which could possibly cause the legacy device to continuously reboot.
3.2.3.3 Layer 3 (Network) Routing Protocols
From a Layer 3 perspective, it is recommended that the City establish a point-to-point network connection to
the remaining stakeholders. As with FDOT District One and the County, the City would need to implement
MSDP peering between FDOT District One and Collier County for multicast video sharing. This ensures
proper segmentation while providing full video service to and from each agency. As VRRP was considered,
it is recommended to configure both proposed switches in a stacked chassis.
As indicated above, the City should implement MSDP peering between the City of Naples, Collier County,
and FDOT District One for multicast video and data sharing. MSDP allows each multicast domain to advertise
ITS multicast sources within the group to the local RP. All RPs will reside on separate network domains and
will facilitate the discovery and sharing of all the different stakeholder video streams or camera feeds and will
be routed to the requested network user. The use of MSDP protocol will be required to share roadside
(multicast) videos between all the stakeholders. The deployment of MSDP peering creates best practice PIM-
SM boundaries between the City of Naples and Collier County. Finally, upgrading the core switches to Cisco
C3850s is necessary to enable MSDP capabilities, as the existing Cisco ME3400Gs do not support the
required MSDP.
3.2.3.4 Network Security
The City does not currently have a firewall in place to protect against external threats. It is recommended that
the City purchase a firewall for this purpose. The firewall will also serve as a security gateway to external
networks and will allow the City to implement additional network security measures. This proposed firewall
will also provide a secure demarcation point for the City of Naples Police Department which is currently
directly connected to the City of Naples traffic network and video control server.
It is also suggested that the City utilize a central method for providing users access to field equipment. The
recommended method would be the use of a RADIUS server. For devices that are not capable of
communicating to a RADIUS server, it is recommended to manually update user admin credentials
periodically or use a script to perform this action.
Regional ITS Network Review | Recommendations Report
25
It was discovered that the signal controllers, MMUs, UPS, workstations, and servers were only being
managed by a single administrator account. In contrast, the VDG Sense video software was the only system
which had unique usernames and passwords with different levels of access depending on their current
position. The final recommendation would be to remove default credentials from ITS field devices and assign
a unique username and password to each employee who has access to the network. Having a single
administrator password will not allow the ability to track or hold staff accountable for network configuration
changes.
3.2.4 Proposed Network Improvements
Below is a synopsis of the proposed network improvements in a tabular format.
Table 3 -2 : Proposed Network Improvement Items
Recommendation
Identifier Recommendations Benefits Agency
3.2.1.4
Suggest purchasing a new firewall
appliance and installing this device in-
line with the proposed stakeholder
connection at the Alligator Alley Toll
Plaza MHUB.
Protect the Department from
unwanted stakeholder cyber threats
and to provide a routed demarcation
point.
FDOT District
One
3.2.2.1 Suggest replacing the Cisco
ME3400Es. Last day of software
maintenance releases will be October
3, 2019. End of Sale for ME3400s was
October 3, 2018.
Due to the switches being at the end
of life, if the switches experienced a
hardware failure, the County would
not receive support or a
replacement switch.
Collier
County
3.2.2.1
Recommend replacing RuggedCom
RS900G with a switch with a higher
port capacity and with the optical
bypass feature. Also, suggest replacing
the Layer 2 Cisco 2955s. Last date of
all support services for the C2955 was
on July 31, 2018.
Allows the Layer 2 switch to pass
optical traffic if the switch were to
lose power or fail. Additionally, due
to the switches being at the end of
life, if either unit experienced a
hardware failure, the County would
not receive support or a
replacement switch.
Collier
County
Regional ITS Network Review | Recommendations Report
26
Recommendation
Identifier Recommendations Benefits Agency
3.2.2.1
Proposed routers are fully Layer 3
capable to move to route off the field
networks out to MHUB locations from
TMC.
If a network misconfiguration occurs
in the field, creating a broadcast
storm, the core router’s performance
will be negatively impacted, moving
all routing to the MHUB locations to
mitigate the current single point of
failure at the TMC for all routing.
Collier
County
3.2.2.1
Utilize fiber along CR951 from MHUB5
to the ESC to provide a redundant
routed path from MHUB5 to the TMC
by way of the ESC.
A redundant optical connection
would allow for the primary
connection to be lost and no
impacts would be seen by the end
users.
Collier
County
3.2.2.1
Deploy the County owned Cisco 6509-
E to enable MSDP capabilities as the
existing Cisco ME3400Es do not
support MSDP.
Collier County would be unable to
send or receive any partner video
streams.
Collier
County
3.2.2.1 Adding redundant MHUB point-to-point
links.
Will increase system resiliency to
fiber cuts and equipment failures at
the MHUB locations.
Collier
County
3.2.2.1 Consolidation of fiber connections. By consolidating the connections, it
would allow for future expansion
using existing equipment if needed.
Collier
County
3.2.2.2 Install Uninterrupted Power Supplies at
all MHUB Locations and TMC.
Will keep equipment operational
during power outage and clean
power when cabinet is connected to
an external generator.
Collier
County
3.2.2.4
Install a RADIUS server for user
authentication.
Have the ability to manage all
ITS/TOR/Active Directory from a
single location and interface.
Collier
County
3.2.2.4 Eliminate default user credentials and
assigning each user a unique
username and password.
This will prevent any user from
retrieving the default credentials
from the internet and using these
identified credentials to access the
ITS network.
Collier
County
Regional ITS Network Review | Recommendations Report
27
Recommendation
Identifier Recommendations Benefits Agency
3.2.2.4 Obtain network management and
control of the Apollo router.
Reconfigure with proper network
security protocols.
Will allow Collier County to mitigate
external internet threats which could
be introduced by the third party
vendor.
Collier
County
3.2.3.1
Upgrade the EOL Cisco ME3400G
switches to an updated model with
upgraded features and manufacturer
support.
Due to the switches being at the end
of life, if either device experienced a
hardware failure, the City of Naples
would not receive support or a
replacement switch.
City of
Naples
3.2.3.1
Utilize two (2) new Cisco C3850s in a
stack to manage as one (1) logical
switch while providing physical
redundancy for the field ITS rings.
Provides network resiliency in the
form of redundant routing engines
and network expansion flexibility
with minimal impact to a
configuration
City of
Naples
3.2.3.1
Ensure all field rings are diverse across
Cisco C3850s switches.
This will ensure if one of the stacked
chassis switches fails it will fail over
to a single router no physical
intervention is required.
City of
Naples
3.2.3.2
Install Uninterrupted Power Supply at
TMC location.
To provide auxiliary power during
power outages and brownouts to
ensure service continuity.
City of
Naples
3.2.3.2
Purchase new Layer 2 Field Ethernet
Switches with optical by-pass feature.
Will allow for the optical signal to be
transmitted if power to switch would
be lost allowing for downstream
ethernet communications to remain
online.
City of
Naples
3.2.3.4
Purchase and install a firewall to use
as a demarcation point for routed
connection from other agencies
To protect City of Naples from
unwanted stakeholder cyber threats
and to provide a routed demarcation
point.
City of
Naples
3.2.3.4
Purchase and install a firewall to use
as a demarcation point for routed
connection from the City of Naples
Police Department.
To protect City of Naples from
unwanted stakeholder cyber threats
and to provide a routed demarcation
point.
City of
Naples
Regional ITS Network Review | Recommendations Report
28
Recommendation
Identifier Recommendations Benefits Agency
3.2.3.4
Install a RADIUS server for user
authentication.
Have the ability to manage all
ITS/TOR/Active Directory from a
single location and interface.
City of
Naples
3.2.3.4 Eliminate default user credentials and
assigning each user a unique
username and password.
This will prevent any user from
retrieving the default credentials
from the internet and using these
identified credentials to access the
ITS network.
City of
Naples
Regional ITS Network Review | Recommendations Report
29
4. Proposed Regional Network Strategies
4.1 Proposed Network Architecture Design
In the network topology below, FDOT District One will establish a routed connection to Collier County’s
Master Hub Five from which Collier County will utilize a Layer 2 Tunnel to carry the routed connections back
to the firewall at the Collier County TMC. Once routed communications are established, the MSDP protocol
will be used to facilitate video sharing.
The City of Naples will also establish a routed connection to Collier County who will then share their unicast
and multicast data with FDOT District One and Collier County by the previously mentioned routing protocols.
Figure 4 -1 : Proposed Regional Network Architecture Diagram
Regional ITS Network Review | Recommendations Report
30
4.1.1 Proposed Internet Protocol (IP) Schematic
FDOT District One received IP address allocations for the ITS network from FDOT Central Office for the
district and ITS local transportation agencies. It was the responsibility of each FDOT district to allocate IP
addresses to each local agency. As part of this network review, Metric Engineering was requested to review
the existing IP schematic for both the County and City and recommend a new IP schematic based on the IP
allocations provided by FDOT District One. Metric Engineering consulted with each FDOT District One
stakeholder to identify each of the needs as it relates to IP networks and hosts per network to determine an
appropriate IP schematic.
4.1.1.1 Florida Department of Transportation District One
FDOT District One’s network has previously been configured to use the updated IP schematic allocated by
FDOT Central Office. No changes to the existing FDOT District One IP Address Scheme is proposed at this
time.
4.1.1.2 Collier County
The County’s existing IP Scheme and list of existing traffic signal devices was provided and reviewed. It was
noticed that there is an immediate need for Collier County to reassign IP addresses to all of their existing
field equipment to meet their future network equipment requirements. After meeting with the network
engineering staff at the County, additional IP addressable devices were identified which requires network
connectivity back to the TMC such as Connected Vehicle (CV) devices, Wireless Street Lighting (Apollo),
Sensys vehicle counters and power distribution units. The additional equipment need was used to determine
an IP schematic that would accommodate the largest potential network expansion with the least amount of
wasted IP addresses.
The current recommendation is to update the existing ITS network IP address list and assign specific ITS
network equipment into segmented VLANs. This change will facilitate the segmentation of multicast traffic,
so the data stream will not cause connectivity issues in legacy traffic signal and detection equipment and to
include the ability for future expansion. Additionally, having the traffic signal controller in the same network
as the proposed CV connections allows for a reduction in network latency, further increasing network
reliability, which is required for these devices.
The proposed IP addressing scheme was developed for the number of required addresses identified for the
proposed CCTV cameras. Collier County had informed Metric Engineering that there was a need to assign
a total of four (4) CCTV cameras per signalized intersection. This proposed assignment would allow for two
(2) CCTV cameras be placed at the intersection and one (1) mid-block camera to be placed at both the
ingress and egress of the intersection. Additional discussions and comments will need to be addressed with
FDOT District One, FDOT Central Office and Collier County collectively due to the fact that the amount of
Regional ITS Network Review | Recommendations Report
31
multicast addresses required would exceed the amount of addresses assigned to Collier County. To ensure
Collier County remained in the assigned block of multicast addresses, Metric Engineering had to reduce the
number of cameras at each intersection. Illustrated in the sample IP Address List located in Appendix B of
this document. Metric Engineering was only able to assign each intersection a single intersection camera
and a single midblock camera.
4.1.1.3 City of Naples
Overall, the same recommendations apply to the City of Naples, as they will be connecting to the Collier
County Network; less the requirements of additional multicast addresses. The current proposal is to update
the existing ITS network IP address list and assign specific ITS network equipment into segmented VLANs.
This change will facilitate the segmentation of multicast traffic, so the data stream will not cause connectivity
issues in legacy traffic signal and detection equipment and to include the ability for future expansion.
Additionally, having the traffic signal controller in the same network as the proposed CV connections allows
for a reduction in network latency, further increasing network reliability, which is required for these devices.
4.1.2 Data and Multicast Sharing Between Agencies
Sharing agency signal data and multicast video between each of the stakeholders has great benefit for each
agency. A benefit to sharing data between agencies is that each governing agency will be able to participate
in joint incident management, signal performance measures and/or coordination of traffic signals to increase
the roadway capacities. The stakeholders can then have immediate access to their partner agencies to obtain
real time traffic data. Finally, each stakeholder can access the signal data both inside and outside their
jurisdiction to obtain the signal/video images to assist with incident management with each respective TMC.
To share multicast video between the required agencies, Metric Engineering proposes that each agency
establish a dynamically routed point-to-point connection to one another to deploy MSDP peering to
interconnect the three (3) Protocol Independent Multicast (PIM) domains. This method allows the network
equipment to reroute multicast data during an outage and also dynamically learn new multicast devices to
share with other agencies without external intervention.
4.1.2.1 Florida Department of Transportation District One
FDOT District One currently shares their multicast streams with other local agencies (i.e. Manatee County,
Sarasota County) using the MSDP peering protocol with the Rendezvous Point (RP) router located at the
FDOT District One SWIFT TMC. The only recommendation for FDOT District One regarding data sharing
between the stakeholders is to coordinate with the other stakeholders to ensure the proper security protocols
are implemented and the multicast RP router is properly configured. This must be done prior to
interconnecting each agency to reduce the likelihood of a possible network conflict.
Regional ITS Network Review | Recommendations Report
32
4.1.2.2 Collier County
Since Collier County is not currently utilizing multicast video transmission on their network, additional items
will be needed to be implemented in order to deploy the proposed MSDP. To begin the MSDP deployment,
Collier County would need to enable multicast transmission on each of their roadside CCTV video cameras.
The County would also need to enable Internet Group Management Protocol (IGMP) Snooping on each Layer
2 switch within the network. IGMP Snooping will allow the routers to maintain the multiple multicast
connections between the source (camera) and the router. Next, the County will need to configure their routers
for MSDP and PIM-SM. Additionally, the implementation of a static route will be required on each border
router within Collier County. Finally, the County would need to configure an RP on the ITS core router to
ensure all video is managed, collected, and then routed properly.
4.1.2.3 City of Naples
The City of Naples utilizes multicast but their network routers are not currently capable of MSDP peering.
The implementation of MSDP peering would be more focused at the core router locations and requires the
City to replace their core routers with routers that are MSDP capable. Once replaced, the City would need to
configure PIM-SM and static routing on their core router.
Regional ITS Network Review | Recommendations Report
33
5. Standardization of ITS Communications Equipment
5.1 Agency Network Requirements
In an effort to standardize the method of communication between the stakeholders in the FDOT District One
region, it is recommended that each agency implements the use of standard protocols to ensure the network
compatibility. Some of the protocols include, but are not limited to:
• Virtual Local Area Networks (VLAN) (IEEE 802.1Q)
• Rapid Spanning Tree Protocol (RSTP)
• Multiple Spanning Tree Protocol (MSTP)
• Per VLAN Spanning Tree (PVST+)
• Internet Group Management Protocol (IGMP) Snooping
• Dynamic Routing Protocol [i.e. Open Shortest Path First (OSPF)]
• Protocol Independent Multicast Sparse-Mode (PIM-SM)
• Multicast Source Discover Protocol (MSDP)
5.2 Field Network Devices Standardization
The standardization of network equipment would be preferred however, the agencies are typically acquiring
network equipment via low bid design build projects which provides the most cost-effective equipment listed
on the FDOT Approved Products List (APL). Due to this limitation, Metric Engineering recommends vendor
agnostic device standardization between all agencies. By implementing these standardizations, the
governing agency has the ability to quickly troubleshoot attached devices and identify the attached equipment
without performing additional functions such as looking up MAC addresses to identify the specific type of
device. Metric Engineering suggests the implementation of a standard port assignment for each switch. The
optical ports should be standardized as well at each location. By assigning a consistent direction to each
specific port, it will allow the administrator to quickly identify downed links and ease in troubleshooting optical
issues.
The proposed standard port configuration is as follows:
1. Ethernet Port One – Signal Controller
2. Ethernet Port Two – CCTV Camera
3. Ethernet Port Three – MMU
4. Ethernet Port Four – UPS
5. Ethernet Port Five – PDU
6. Ethernet Port Six – Traffic Signal Video Detection
7. Ethernet Port Seven – Port Server (MVDS)
8. Ethernet Port Eight – Bluetooth Travel Time Reader
Regional ITS Network Review | Recommendations Report
34
9. Ethernet Port Nine – Technician Access Port
10. Ethernet Port Ten – Future Use
11. Optical Port One – North or West Direction
12. Optical Port Two – South or East Direction
13. Optical Port Three – Future Use
14. Optical Port Four – Future Use
5.3 Physical Redundancy - Master Hub and TMC
5.3.1 FDOT District One RTMC – SWIFT SunGuide® Center
FDOT District One has provided specific locations where Collier County and the City of Naples can connect
directly to provide redundant network communications. The first location is the FDOT District One SWIFT
SunGuide® Center. This Regional Traffic Management Center (RTMC) is located near I-75 at MM 170.3 NB.
The secondary redundant connection is the I-75 communications hub located at MM 92.5 NB, which is west
of the Edward J Beck (Alligator Alley) Toll Plaza.
5.3.2 Collier County ESC and TMC
Collier County currently has redundant communications between their core and aggregation routers except
for four (4) locations. Metric Engineering recommends adding another diverse connection between:
1. TMC core to MHUB5 = approximately 8.5 miles (13.6794 km)
2. MHUB5 to the Collier County ESC = approximately 6.5 miles (10.4607 km)
3. Collier County ESC to MHUB2 = approximately 5.8 miles (9.3342 km)
4. MHUB2 to MHUB4 = approximately 11.1 miles (17.86372 km)
The additional connections using diverse paths would provide more network redundancy to all sites including
the disaster recovery site. This will ensure all pertinent data are accessible in the event of a fiber cut, network
outage or infrastructure damage due to extreme weather.
5.3.3 City of Naples TMC
The current proposal is to implement a secondary redundant connection between the City’s TMC and the
Collier County TMC. A redundant network connection can be achieved by deploying a secondary diverse
fiber path between the City TMC and Collier County TMC. This proposed redundant path will ensure network
connectivity between the two Traffic Management Centers in the event of the primary network path being lost
due to a fiber optic cable cut.
Regional ITS Network Review | Recommendations Report
35
6. User Access and Authentication
The FDOT Central Office has developed a draft high level ITS Cybersecurity Guidelines document which
outlines proper user authentication and security resource guidelines for securing a Transportation Systems
Management and Operations (TSM&O) traffic network. Similarly, this section of the document outlines many
of the common industry standards that should be followed to prevent unauthorized users from accessing
network resources. Based upon the FDOT ITS Cybersecurity Guidelines, this document suggests the
implementation of specific network security strategies for user access and authentication described below.
6.1 FDOT District One
The first security item identified is pertaining to the physical access to network devices. All networking
equipment shall be installed in a secure area, with only approved personnel having access to the room where
the equipment is housed and is monitored by a trigged alarm system. This can be achieved by the deployment
of an electronic cabinet access control system with programmable smart keys to log access into the ITS
Cabinets. All network equipment should have the default administrator account and password changed
and/or removed upon installation. Each administrative or other network user should be provided with their
own unique administration network account.
It is recommended to enable Secure Shell (SSH) and disable Telnet on all network infrastructure as Telnet
sends a user's credentials over the network in clear text. SSH encrypts this data prior to leaving the user's
computer. Finally, the use of an external RADIUS authentication or other secure technology should be
implemented for additional access security and user management.
All unused ports on all network equipment should be disabled until needed and configured. Disabling unused
ports will prevent unauthorized users from making a physical connection to the device. Only one access port
should be used to allow for local access for network administration or a network technician to access the
network for testing purposes. Lastly, the network administrator should enable MAC address filtering on all
field network equipment to prevent unauthorized devices (i.e. Wireless Access Point) to access the switch or
router and be connected to the network.
The final element relating to network security is the utilization of strong passwords. By using passwords
which a minimum of are eight (8) hexadecimal characters in length with a special character and not one of
the last twenty-four (24) passwords used will ensure that passwords are more complex making it more
difficult for unauthorized personnel from guessing or using tools for guessing user passwords.
Regional ITS Network Review | Recommendations Report
36
6.2 Collier County
In addition to following the items indicated in the FDOT District One section, it is also suggested to implement
additional security features due to an external network VPN which is currently connected to the Collier County
traffic network. A recommendation would be to employ per-user or user-group based access policies for VPN
access to only the specific systems and devices required for job functionality. Finally, the implementation of
monthly verifications to ensure all users are applying strong passwords for all VPN user accounts.
6.3 City of Naples
It is also recommended to use both encryption and authentication on all deployments for additional network
security. Another suggested network security item is to deploy the use of Discretionary Access Control
(DAC). DAC allows the network administrators to manipulate access control settings which allows all end
users only have access to resources pertaining to their function and/or responsibilities.
6.4 Recommendations
Based upon our findings in each respective network it is suggested that the agencies use the following
network security strategies for user access and authentication:
Table 6 -1 : Recommended Strategies for User Access and Authentication
Strategy
Identifier Recommended Benefits
6.1 All network devices should be installed in a restricted
access area using an electronic cabinet access control
system with programmable smart keys accessible only
by authorized personnel.
All equipment is installed in a restricted
and limited access facility and will allow
the County to track who is acceding their
facilities.
6.1 Change the default username and password for all ITS
Devices. This will prevent any user from retrieving
the default credentials from the internet
and using these identified credentials to
access the ITS network.
6.1 Provide each administrative user with their own
administration account.
Each approved user will be assigned a
unique administrator account based upon
access privileges and will allow for user
accountability.
Regional ITS Network Review | Recommendations Report
37
Strategy
Identifier Recommended Benefits
6.1 Use strong passwords which are a minimum of eight (8)
hexadecimal characters in length with a special
character and not one of the last twenty-four (24)
passwords used.
This will ensure that passwords are more
complex making it more difficult for
unauthorized personnel from guessing
and using tools for guessing user
passwords.
6.1 Administration accounts shall employ strong password
standards and preferably rely on RADIUS, or similar
technology, for authentication and authorization minus
one administrative account if RADIUS become
unavailable.
All equipment access will be authenticated
via a RADIUS appliance and allow for
central control of user access.
6.1 Disable all unused network interfaces on Layer 2 and
Layer 3 equipment, except for designated “technician
access” ports.
All unused ports will be placed in an
administratively down state if unused and
keeps unauthorized users from accessing
the network equipment.
6.1 Institute port-based network access control IEEE 802.1x
MAC address and/or MAC filtering and security on Layer
2 and Layer 3 equipment to prevent unauthorized
access.
Configure MAC Filtering on all Switches
and Routers for enhanced security. This
also prevents rogue devices from being
connected and receiving network access.
6.2 Employ per-user or user-group based access policies for
VPN access to only the systems and devices required. Implementation of Group Policy to limit
unauthorized access.
6.3 Use of Discretionary Access Control (DAC) allows
administrators to manipulate access settings of objects
under their control
Implement DAC to ensure all end users
only have access to resources pertaining to
their function and/or responsibilities.
Regional ITS Network Review | Recommendations Report
38
7. Network Implementation Budgetary Estimate
Task Four of the Scope of Services for this TWO includes providing a budgetary estimate consisting of the
total sum to purchase, install, configure and integrate the proposed equipment. The budgetary estimate in
Table 7-1 includes this work as percentages of the total cost of equipment. This budgetary estimate is based
on information provided to Metric Engineering personnel from the stakeholders. Should any of the agencies
want this work to be performed, it is suggested that a more detailed review be performed prior to assigning
the work to a contractor or consultant, although with the contingency amount included, it is felt that this is a
good budgetary estimate (see Table 7-1: Engineers Cost Estimate). To support the FHWA Open Bid Policy,
all recommendations were developed from a vendor agnostic perspective. Only brand names were identified
to obtain a MSRP for budgetary purposes.
Metric Engineering met with both Collier County and City of Naples personnel to identify their current and
future network designs and requirements. After careful discussions with the stakeholders, Cisco Systems
and ITS Express or similar equipment were proposed by the stakeholders, as upgrade equipment. For
budgetary purposes, Cisco was used due to being a preferred router vendor of Collier County along with ITS
Express being the preferred Layer 2 switch vendor for the City of Naples. To develop a budgetary estimate
for furnishing, installing and configuring the recommended network equipment based on this document these
vendors are used for the legacy equipment replacement for both stakeholders. The benefit of deploying the
existing vendor equipment is the familiarity of the CLI and the ability for each stakeholder to assist the other,
if additional assistance is needed. One of the requirements that the City of Naples requested, is that the
proposed Layer 2 switch be equipped with an internal optical by-pass feature. The optical by-pass failsafe
feature will allow the optical signal to be transmitted even if the in-line network switch were to lose power.
The ITS Express 8012-24+ will be soon replaced with ITS Express 8012-24+ V3 switch. Both models will be
equipped with the optical by-pass feature and the costs for each model will be the same if either model is
purchased. The ITS Express 8012-24+ will be recommended for all edge switching locations at all cabinet
locations within Collier County and the City of Naples.
Regional ITS Network Review | Recommendations Report
39
Table 7 -1 : Engineers Cost Estimate
Regional ITS Network Review | Recommendations Report
A-1
Appendix A - Regional Partner Network Topologies
Regional ITS Network Review | Recommendations Report
A-2
Regional ITS Network Review | Recommendations Report
A-3
Regional ITS Network Review | Recommendations Report
A-4
Regional ITS Network Review | Recommendations Report
A-5
Regional ITS Network Review | Recommendations Report
A-6
Regional ITS Network Review | Recommendations Report
B-1
Appendix B - Regional Partner IP Address Schema
The Regional IP Address Schema will be submitted separately due to the sensitive information and network
security concern.
Regional ITS Network Review | Recommendations Report
C-1
Appendix C - Summary of Recommendations
The matrix below provides a mapping of the areas of improvements discovered and ITS recommended strategy. Note that there may be more than one strategy defined for a single item and there can also be a strategy that may apply across multiple scope
items discovered.
Table C-1 : Summary of Recommendations
Section
ID Discovered Concerns Recommendation
Identifier Recommendations
Benefit Agency
3.1.1.4
No Firewall was proposed for Regional Partner
external connections.
Cyber threats can be either transmitted form
or to the project stakeholders.
3.2.1.4
Suggest purchasing a new firewall
appliance and installing this device in-
line with the proposed stakeholder
connection at the Alligator Alley Toll
Plaza MHUB.
Protect the Department from unwanted stakeholder
cyber threats and to provide a routed demarcation
point.
FDOT
District
One
3.1.2.1
The Layer 2 field rings are comprised of multiple
switch vendors such as Cisco 2955 and
RuggedCom RS900G switches.
In some cases, various vendors implement
Layer 2 protocols differently, which causes
compatibility issues between the switches and
cause network disruptions.
3.2.2.1
Recommend replacing RuggedCom
RS900G with updated port capacity, for
the optical bypass feature. Also,
suggest replacing the Layer 2 Cisco
2955s. Last date of all support services
for the C2955 was on July 31, 2018.
Allows the Layer 2 switch to pass optical traffic if the
switch were to lose power or fail. Additionally, due to
the switches being the end of life, if either unit
experienced a hardware failure, the County would not
received support or a replacement switch.
Collier
County
3.1.2.1
Numerous core networking equipment are
performing unnecessary switching and routing. The
core network in the TMC has two (2) Cisco
ME3400E switches, one (1) Cisco C3560 switch,
one (1) Cisco C2950 switch, one (1) HP 2530-24G
switch, one (1) RuggedCom RS900G switch and
one (1) Cisco ASA 5506 firewall.
Due to the amount of TMC equipment that can
switch or route, additional network latency can
be caused including communication failure
due to equipment malfunction.
3.2.2.1
Proposed routers are fully Layer 3
capable to move to route off the field
networks out to MHUB locations from
TMC.
If a network misconfiguration occurs in the field,
creating a broadcast storm, the core router’s
performance will be negatively impacted, moving all
routing to the MHUB locations to mitigate the current
single point of failure at the TMC for all routing.
Collier
County
3.1.2.1
Each MHUB was found to be a non-redundant Layer
2 connection from the TMC core network with all
routing taking place at the TMC.
If a MHUB were to fail, it would potentially
hinder ITS communications to all downstream
MHUBs causing an unwanted network outage.
3.2.2.1 Adding redundant MHUB point-to-point
links.
Will increase system resiliency to fiber cuts and
equipment failures at the MHUB locations. Collier
County
3.1.2.1
MHUB3 was found to have two (2) Cisco ME3400E
switches which supplies local HUB switch rings and
two (2) non-redundant connections to additional
hubs. One link to MHUB4 and one link to MHUB5.
By having two (2) switches and non-redundant
connection at the core routers, this equipment
configuration can cause a single point of
failure and potential network failure, due to all
routing occurs at the TMC location.
3.2.2.1 Consolidation of fiber connections. By consolidating the connections, it would allow for
future expansion using existing equipment if needed. Collier
County
Regional ITS Network Review | Recommendations Report
C-2
Section
ID Discovered Concerns Recommendation
Identifier
Recommendations
Benefit Agency
3.1.2.1 The ITS network are comprised of Cisco ME3400E
switches at the core and MHUB levels which are
EOL.
Due to the switches being the end of life, if
either experienced a hardware failure, the
County will not receive support or a
replacement switch
3.2.2.1
Suggest replacing the Cisco
ME3400Es. Last day of software
maintenance releases will be October
3, 2019. End of Sale for ME3400s was
October 3, 2018.
Due to the switches being the end of life either
experienced a hardware failure, the County would not
receive support or a replacement switch. Collier
County
3.1.2.1 No network redundancy was identified between
MHUB 5 and the TMC.
If a fiber optic cable cut would occur, no
redundant optical path is available to reroute
within the network
3.2.2.1
Utilize fiber along CR951 from MHUB5
to the ESC to provide a redundant
routed path from MHUB5 to the TMC
by way of the ESC.
A redundant optical connection would allow for the
primary connection to be lost and no impacts would be
seen by the end users.
Collier
County
3.1.2.1 No current method of video routing was identified in
the County core configurations.
Collier County would be able to send or
receive any partner video streams.
3.2.2.1
Deploy the County owned Cisco 6509-
E to enable MSDP capabilities as the
existing Cisco ME3400Es do not
support MSDP.
Collier County would be able to send or receive any
partner video streams. Collier
County
3.1.2.4 No current user authorization or authentication is
deployed.
No centralized method to provide user
credentials and access to the device. 3.2.2.4
Install a RADIUS server for user
authentication.
Have the ability to manage all ITS/TOR/Active Directory
from a single location and interface. Collier
County
3.1.2.4
A router was found attached to the TMC core which
supplies a secure tunnel for Apollo Street Light
System.
The Apollo router is managed and accessed
by the vendor. An external internet connection
is managed by a third party and Collier County
does not have access to Apollo router causing
a network security concern.
3.2.2.4 Obtain network management and
control this router. Reconfigure with
proper network security protocols.
Will allow Collier County to mitigate external internet
threats which could be introduced by the third party
vendor. Collier
County
3.1.2.4 Collier County utilizes default user accounts for a
number of ITS devices.
Using default equipment usernames and
passwords is a network security concern
because an unauthorized user can gain
access by a simple internet search
3.2.2.4 Eliminate default user credentials and
assigning each user a unique
username and password.
This will prevent any user from retrieving the default
credentials from the internet and using these identified
credentials to access the ITS network.
Collier
County
3.1.3.1
ITS network is comprised of two (2) core Layer 3
Cisco ME3400G switches located at City of Naples’
TMC.
By having two (2) switches and non-redundant
connection at the core routers, this equipment
configuration can cause a single point of
failure and potential network failure, due to all
routing occurs at the TMC location.
3.2.3.1
Utilize two (2) new Cisco C3850s in a
stack to manage as one (1) logical
switch while providing physical
redundancy for the field ITS rings.
Provides network resiliency in the form of redundant
routing engines and network expansion flexibility with
minimal impact to a configuration City of
Naples
3.1.3.1
Most of the ITS field rings terminate both sides of
the ring on one of the ME3400Gs.
Since each ITS terminates on a single
ME3400G, if one router would fail, Ethernet
communications would be halted.
3.2.3.1
Ensure all field rings are diverse across
Cisco C3850s switches.
This will ensure if one of the stacked chassis switches
fails it will fail over to a single router no physical
intervention is required.
City of
Naples
Regional ITS Network Review | Recommendations Report
C-3
Section
ID Discovered Concerns Recommendation
Identifier
Recommendations
Benefit Agency
3.1.3.1 Network Equipment Concern – Current Cisco
ME3400Gs are EOL.
Due to the switches being the end of life, if
either experienced a hardware failure, the City
of Naples will not receive support or a
replacement switch.
3.2.3.1
Upgrade the EOL Cisco ME3400G
switches to an updated model with
upgraded features.
Due to the switches being the end of life, if either
device experienced a hardware failure, the City of
Naples would not received support or a replacement
switch.
City of
Naples
3.1.3.1 Network devices do not have a redundant power
source at all locations.
Loss of power will result in a loss of ITS
network device communication.
3.2.2.2 Install Uninterrupted Power Supplies at
all MHUB Locations and TMC.
Will keep equipment operational during power outage
and clean power when cabinet is connected to an
external generator.
Collier
County
3.1.3.4 No network demarcation point was established for
the routed connection from Collier County.
By having a network demarcation point, it will
allow the City of Naples to mitigate or
disconnect from Collier County if a broadcast
storm was detected.
3.2.3.4
Purchase and install a firewall to use
as a demarcation point for routed
connection from Collier County.
To protect City of Naples from unwanted stakeholder
cyber threats and to provide a routed demarcation
point.
City of
Naples
3.1.3.4 No network demarcation point was established for
the routed connection from the City of Naples Police
Department.
By having a network demarcation point, it will
allow the City of Naples to mitigate or
disconnect from the police department if a
broadcast storm was detected.
3.2.3.4
Purchase and install a firewall to use
as a demarcation point for routed
connection from the City of Naples
Police Department.
To protect City of Naples from unwanted stakeholder
cyber threats and to provide a routed demarcation
point.
City of
Naples
3.1.3.4 City of Naples utilizes default user accounts for a
number of ITS devices.
Using default equipment usernames and
passwords is a network security concern
because an unauthorized user can gain
access by a simple internet search
3.2.3.4 Eliminate default user credentials and
assigning each user a unique
username and password.
This will prevent any user from retrieving the default
credentials from the internet and using these identified
credentials to access the ITS network.
City of
Naples
3.1.3.4 No current user authorization or authentication is
deployed.
No centralized method to provide user
credentials and access to the device. 3.2.3.4
Install a RADIUS server for user
authentication.
Have the ability to manage all ITS/TOR/Active Directory
from a single location and interface. City of
Naples
STATE OF FLORIDA DEPARTMENT OF TRANSPORTATION
LOCAL AGENCY PROGRAM AGREEMENT
EXHIBIT “A”
PROJECT DESCRIPTION AND RESPONSIBILITIES
525-010-40
PROGRAM MANAGEMENT
OGC - 12/18
Page 1 of 3
FPN: 435013-1-98-01
This exhibit forms an integral part of the Local Agency Program Agreement between the State of Florida, Department of
Transportation and
Collier County (the Recipient)
PROJECT LOCATION:
The project is on the National Highway System.
The project is on the State Highway System.
PROJECT LENGTH AND MILE POST LIMITS: 0.001
PROJECT DESCRIPTION: The purpose of the project is to procure, install and configure Network equipment using
Network Engineering Services, to update the network and standardize communication between each the these agencies’
Network environments; Florida Department of Transportation’s (FDOT), the City of Naples and Col lier County as per the
“FDOT Recommendations Report, Regional ITS Network Review, FDOT District One / Collier County / City Of Naples,
June 14, 2019 | Version 3.0”, henceforth referred to as “The Report”.
By creating a standardized network, the local agen cies and the FDOT will be able to relocate Automated Traffic
Management Systems (ATMS) control and video feeds to the Emergency Services Center (ESC) in emergency situations.
For the comprehensive list of requirements, please refer to the “The Report”. The first phase of the ITS
Integrate/Standardize Network Communication project consisted of the following;
•Procure Network Professional Services to develop and implement updated Network Architecture for our Regional Wide
Area Network (WAN) to include the following Agencies;
oCollier County Traffic Operations
oCity of Naples Traffic Operations
oFDOT District 1 Regional TMC
This phase was paid for and completed by FDOT with the creation of a Recommendations Report “Regional ITS Network
Review FDOT District One / Collier County / City of Naples, June 14, 2019 | Version 3.0, by Metric Engineering. (See
Addendum I).
“The Report” has identified these guidelines as a requirement for the fulfillment of this LAP Project;
•Retain Network Professional Services to procure, configure, install, implement, integrate and standardize all ITS
managed Ethernet switches and Network Hubs within the local region:
oProcure 300 Layer 2 Network Switches providing the functionalities required as per “The Report”.
oProcure, configure and install Network Hub cabinets, Layer 3 Network Switches, UPS units like those attached to
Signalized Intersection Cabinets, required infrastructure and accessories as per the Professional Services
recommendations.
4 Central Locations identified
Collier County TMC
Collier County EOC
City of Naples TMC
FOOT District 1 TMC
•Using Networking Professional Services, configure and migrate the network environment from the 10.129.32 -49.x to the
STATE OF FLORIDA DEPARTMENT OF TRANSPORTATION
LOCAL AGENCY PROGRAM AGREEMENT
EXHIBIT “A”
PROJECT DESCRIPTION AND RESPONSIBILITIES
525-010-40
PROGRAM MANAGEMENT
OGC - 12/18
Page 2 of 3
10.131.x.x ip segments, using the Report as a guideline.
•Configure and implement the migration from Unicast to Multicast network topology and procure necessary equipment
required to do so.
•Procure, configure, install and implement required equipment needed for the implementation and integration of Security
Devices to protect the local agencies and the FOOT from intrusion and disruption of services, through the Network
Professional Services Contract.
•Procure, configure, install and implement required equipment needed for RADIUS type User Authentication and Access
Server.
•Procure. Configure, install and implement Web servers and Web Application Portal needed for the management and
sharing of video streaming between agencies.
•Procure, configure, install and implement a Backup System and create an area wide Traf fic Management Center (TMC)
backup network for all local agencies and the FDOT at the Collier County ESC, which will require professional services by
a Network/Systems Architect and Engineer.
•Expand the current Collier County TMC operations at the ESC thr ough the purchase and installation of workstations and
an expanded Video Wall System for monitoring regional traffic.
•Replace all network devices, proposed in the “Report”, which have reached End -Of-Life as per written manufacturer
recommendations, with equivalent devices.
•Procure, install, configure and implement Fiber Optics connections and all required infrastructure between (These
additional connections using diverse paths would provide more network redundancy to all sites including the disaster
recovery site. This will ensure all pertinent data are accessible in the event of a fiber cut, network outage or infrastructure
damage due to extreme weather).;
oTMC Data Center to MHUB5 = approximately 8.5 miles (13.6794 km)
oMHUB5 to the Collier County ESC = approximately 6.5 miles (10.4607 km)
oCollier County ESC to MHUB2 = approximately 5.8 miles (9.3342 km)
oMHUB2 to MHUB4 = approximately 11.1 miles (17.86372 km)
oMHUB6 Immokalee at Collier to MHUB5
oMHUB6 to MHUB4
•Implement the standard port configuration recommended in the Report at all Network Switches as follows:
oEthernet Port One – Signal Controller
oEthernet Port Two – CCTV Camera
oEthernet Port Three – MMU
oEthernet Port Four – UPS
oEthernet Port Five – PDU
oEthernet Port Six – Traffic Signal Video Detection
oEthernet Port Seven – Port Server (MVDS)
oEthernet Port Eight – Bluetooth Travel Time Reader
oEthernet Port Nine – Technician Access Port
oEthernet Port Ten – Future Use
Optical Port One – North or West Direction
oOptical Port Two – South or East Direction
oOptical Port Three – Future Use
oOptical Port Four – Future Use
The specific requirements are detailed in the attached “Report”.
SPECIAL CONSIDERATIONS BY RECIPIENT:
The Receipient will provide final testing documentation to FDOT of the network devices after the switches/routers are
upgraded. A test plan with signatures will also have to be completed.
The Recipient is required to provide a copy of the design plans for the Department’s review and approval to coordinate
STATE OF FLORIDA DEPARTMENT OF TRANSPORTATION
LOCAL AGENCY PROGRAM AGREEMENT
EXHIBIT “A”
PROJECT DESCRIPTION AND RESPONSIBILITIES
525-010-40
PROGRAM MANAGEMENT
OGC - 12/18
Page 3 of 3
permitting with the Department, and notify the Department prior to commencement of any right -of-way activities.
The Recipient shall commence the project’s activities subsequent to the execution of this Agreement and shall perform in
accordance with the following schedule:
a) Advertisement for bids (or Request for Proposals) of ITS Standardize Network Communications on or before:
August 31, 2020.
b) Bid review and award of contract on or before: March 31, 2021
c) Receipt of all purchases and final project invoice on or before: December 31, 2021
d) Project Close-out completed on or before December 31, 2022.
If this schedule cannot be met, the Recipient will notify the Department in writing with a revised schedule or the project is
subject to the withdrawal of funding.
SPECIAL CONSIDERATIONS BY DEPARTMENT: For all projects the following will apply:
1) Section 287.055, F.S. "Consultants Competitive Negotiation Act,” when acquiring a consultant utilizing federal funds
2) FDOT "Project Development and Environmental Manual"
3) The Local Agency Program Manual
The Agency will complete and provide the Department with a Final Inspection and Acceptance form at the completion of
the project in accordance with the Local Agency Program Manual for Federal Aid Projects (Department Procedure: 525 -
010-42). This form must be completed and accepted by the Department prior to payment of the proj ect Final Invoice.
The Agency will inform the Department in writing of the commencement and completion of the project. Upon completion ,
the Department will have forty-five (45) days after receipt of the Agency's final invoice to review, inspect and approve the
equipment for payment. All other invoices for project phases and all other progress payments shall be processed in
accordance with the Department’s procedures and guidelines for invoice processing. The Agency will provide progress
billing invoices to the Department on a minimum of a quarterly basis.
The Agency will be responsible for acquiring all required and applicable permits for the proj ect for review and approval
prior to construction.
SPECIAL CONSIDERATIONS BY DEPARTMENT:
The Department shall reimburse the Agency, subject to funds availability, in the year programmed, which is currently in
Fiscal Year 2019/2020 for the purchase of equipment.
Overview of Proposed Solution
Background:
A Regional ITS Network Review was performed by Metric Consulting. Their review included a list of the
current network device inventory, a network topology map, network design recommendations, IP
addressing scheme and recommendations for improving the current network security environment and
a budgetary price for replacement hardware. As the overview states in their document; the
recommendations for new hardware and tools are to provide an improvement over the current
operational state along with delivering a reliable, scalable and redundant regional ITS Network. Their
assessment also included the City of Naples network environment and design. Their recommendations
are that both County and the City standardize on the same hardware, network design and security
policies so that there is network continuity for data and video sharing capabilities between
environments.
The document will provide the following information:
• Our network inventory of devices and comparison to the Metric inventory list (outline of
anything they missed in gathering their inventory)
• Detailed information of the current devices
• Review of the current network design including device per location
• Recommended Network Layer 2/Layer 3/VLAN segmentation design and benefits
• Proposed product list including their specifications, benefits and comparison to the proposed
Metric list of equipment
• Synopsis of overall benefits and scalability of the proposed solution
Current Network Inventory
Serial Number Product
Id
Description End of Sale End of
Support
Location
FOC1311V3D1 IE-3000-
4TC
Cisco IE 3000-4TC
Industrial Ethernet
Switch
6/30/2020 6/30/2025 ESCNETWRKRM309
FOC1138U2QV ME-
3400G-
12CS-A
Cisco ME 3400G-12CS-
A Switch
1/9/2014 1/31/2019 HUB
FOC1138U26C ME-
3400G-
12CS-A
Cisco ME 3400G-12CS-
A Switch
1/9/2014 1/31/2019 HUB
FOC1138U2S6 ME-
3400G-
12CS-A
Cisco ME 3400G-12CS-
A Switch
1/9/2014 1/31/2019 HUB
FOC1125U48L ME-
3400G-
12CS-A
Cisco ME 3400G-12CS-
A Switch
1/9/2014 1/31/2019 HUB
EXHIBIT "Q"16.A.12.c
Packet Pg. 352 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
FOC1138U2RQ ME-
3400G-
12CS-A
Cisco ME 3400G-12CS-
A Switch
1/9/2014 1/31/2019 HUB
SMG1303ND8N VS-
C6509E-
S720-10G
Cisco Catalyst 6500
Series Supervisor
Engine 720 / MSFC3
7/31/2015 7/31/2020 Core
FOC1208W3AU WS-
C2955S-
12
^2955 12 TX w/Single
Mode Uplinks
8/1/2013 7/31/2018 Cabinet switch
FHK0933H030 WS-
C2955S-
12
^2955 12 TX w/Single
Mode Uplinks
8/1/2013 7/31/2018 Cabinet switch
FOC1208Z3B7 WS-
C2955S-
12
^2955 12 TX w/Single
Mode Uplinks
8/1/2013 7/31/2018 Cabinet switch
FOC1207Z0KY WS-
C2955S-
12
^2955 12 TX w/Single
Mode Uplinks
8/1/2013 7/31/2018 Cabinet switch
FOC1208Z35M WS-
C2955S-
12
^2955 12 TX w/Single
Mode Uplinks
8/1/2013 7/31/2018 Cabinet switch
FOC1018Z1TU WS-
C2955S-
12
^2955 12 TX w/Single
Mode Uplinks
8/1/2013 7/31/2018 Cabinet switch
FOC1112W2H1 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1207Z0LG WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FHK0931H069 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FHK0933H02L WS-
C2955S-
12
^2955 12 TX w/Single
Mode Uplinks
8/1/2013 7/31/2018 Cabinet switch
FOC1003Z612 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1018Z1MN WS-
C2955S-
12
^2955 12 TX w/Single
Mode Uplinks
8/1/2013 7/31/2018 Cabinet switch
FHK0933H02W WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
16.A.12.c
Packet Pg. 353 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
FOC1207Z0ML WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1207Z0L9 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1202X29U WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208X1SL WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208W39M WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208Z3BG WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FHK0933H02T WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FHK0931H05C WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208W3AL WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC0950Y2ZZ WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1207Z0LZ WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208W3BC WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1207Z0L1 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208W3B7 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1207Z0KK WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
16.A.12.c
Packet Pg. 354 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
FOC1208Z389 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208W3AP WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208W3AB WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FHK0933H031 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FHK0933H02N WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FHK0931H05U WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FHK0933H02J WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FHK0933H033 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208Z34N WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208Z35T WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208Z3E4 WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208Z3EY WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
FOC1208Z33E WS-
C2955S-
12
Cisco Catalyst 2955S 12
Switch
8/1/2013 7/31/2018 Cabinet switch
CAT1010R1BR WS-
C3750-
24PS-E
Cisco Catalyst 3750-
24PS Switch
7/5/2010 7/31/2015 ESC 4TH
FLOOR3750
16.A.12.c
Packet Pg. 355 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Detailed information of the current devices
As stated in the Metric Review, there were concerns regarding the current network devices such as the
age, different hardware manufacturers/risk of incompatibility and difficultly to manage, recommended
network Layer 2/3 and security design improvements for scalability.
The current hardware has not only reached end of sale but also end of support.
End of sale and end of support definitions
As a general rule, Cisco will provide 6 months' notice of the affected product's end-of-sale date and/or
the last day when the affected product can be ordered.
End of support policy: Access to Cisco's Technical Assistance Center (TAC) will be available 24 hours a
day, seven days a week for a period of 5 years from the end-of-sale date for hardware and operating
system software issues and for a period of 3 years from the end-of-sale date for application software
issues.
Spares or replacement parts for hardware will be available for a period of 5 years from the end-of-sale
date. We will provide spares and replacement parts in accordance with our Return Materials
Authorization (RMA) process.
Product Lifecycles
Products reach the end of their Product Lifecycle for a number of reasons such as:
Market Demands
16.A.12.c
Packet Pg. 356 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Technology Innovation
New development driving enhancements in the product
Products simply mature over time and are replaced by functionally richer technology
While this is an established part of the overall product lifecycle, Cisco recognizes that end-of-life
milestones often prompt companies to review the way in which such end-of-sale and end-of-life
milestones impact the Cisco products in their networks.
Cisco average product lifecycle ranges from 5-7 years.
The proposed products are the latest Catalyst series switches. These switches will not only provide much
needed refresh of devices that will provide a single hardware manufacturer platform to manage,
network devices that support both Layer 2/3 VLAN segmentation and routing, ability to provide
scalability and onboarding new technologies and devices but also assist with implementing a network
refresh policy.
Standard business practices and justification for device refresh policy
Industry standard best practices for refresh cycles:
The industry standard of the average end user networking equipment refresh ranges from three to five
years based on industry standards and best practices. The average lifespan ranges:
• Core/backbone routers: 3-5 years
• Distribution layer switches: 5-7 years
• Access layer switches: 7-10 years
Key points to consider on why to develop a refresh cycle:
• Collier County has well exceeded 7 years on the majority of their network devices. Standardizing
on a structured network refresh plan avoids having a year requiring a large investment at one
time
• Optimizing the IT hardware refresh cycle effective refresh policy will guide IT and accounting
personnel through the analyses needed to balance the trade-offs between capital spending,
operating efficiency, and risk mitigation.
• Degree of standardization in the IT environment. The same type and level of hardware,
operating systems, and technology configurations, can minimize compatibility-related support
costs.
• Degree of predictability in replacement life cycles. Predictability can minimize the level of effort
devoted to integration and planning.
• Increased costs for replacement parts, and increased time required to fix equipment, especially
when it may be totally replaced not long after the repair Time to locate replacement parts or
“cannibalize” them from other equipment; and Undefined replacement cycles that can result in
inconsistent and less predictable budget requirements, equipment dollars being reallocated,
and unexpected expenses when equipment fails and has to be replaced.
16.A.12.c
Packet Pg. 357 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Proposed Hardware List
Qty Part Number
Smart
Account
Mandatory
Description
Service
Duration
(Months)
Group Name: Default
TMC FTD Security Edge
1 FPR2130-FTD-
HA-BUN
- Cisco Firepower 2130 Threat Defense
Chss,Subs HA Bundle ---
2 FPR2130-NGFW-
K9 - Cisco Firepower 2130 NGFW
Appliance, 1U, 1 x NetMod Bay ---
2 CON-SNT-
FPR2130W - SNTC-8X5XNBD Cisco Firepower
2130 NGFW Appliance, 1U, 36
2 FPR2K-PWR-AC-
400 - Firepower 2000 Series 400W AC
Power Supply ---
4 CAB-AC - AC Power Cord (North America), C13,
NEMA 5-15P, 2.1m ---
2 SF-F2K-TD6.3-K9 - Cisco Firepower Threat Defense
software v6.3 for FPR2100 ---
2 FPR2K-SSD200 - Firepower 2000 Series SSD for FPR-
2130/2140 ---
2 FPR2K-SLIDE-
RAILS - Firepower 2000 Slide Rail Kit ---
2 FPR2K-NM-
BLANK - Firepower 2000 Series Network Module
Blank Slot Cover ---
2 FPR2K-FAN - Firepower 2000 Series Fan Tray ---
2 FPR2K-PWR-AC-
400 - Firepower 2000 Series 400W AC
Power Supply ---
2 FPR2K-SSD-
BBLKD - Firepower 2000 Series SSD Slot
Carrier ---
2 L-FPR2130T-
TMC= Yes Cisco FPR2130 Threat Defense
Threat, Malware and URL License ---
2 L-FPR2130T-
TMC-3Y - Cisco FPR2130 Threat Defense
Threat, Malware and URL 3Y Subs 36
Remote Access VPN
25 L-AC-PLS-LIC= - Cisco AnyConnect Plus Term License,
Total Authorized Users ---
25 L-AC-PLS-3Y-S1 - Cisco AnyConnect Plus License, 3YR,
25-99 Users 36
1 SF-FMC-KVM-2-
K9
Yes Cisco Firepower Management Center,
(KVM) for 2 devices ---
1 CON-ECMUS-
SFFMCKV2 - SOLN SUPP SWSS Cisco Firepower
Management Center, (KVM) 36
Traffic Operations HQ StackWise Virtual Core
2 C9500-24Y4C-A - Catalyst 9500 24x1/10/25G and 4-port
40/100G, Advantage ---
2 CON-SNT-
C95024YA - SNTC-8X5XNBD Catalyst 9500 24-port
25/100G only, Adva 36
2 C9500-NW-A Yes C9500 Network Stack, Advantage ---
2 S9500UK9-169 - UNIVERSAL ---
2 C9K-PWR-
650WAC-R - 650W AC Config 4 Power Supply front
to back cooling ---
16.A.12.c
Packet Pg. 358 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
2 C9K-PWR-
650WAC-R/2 - 650W AC Config 4 Power Supply front
to back cooling ---
4 CAB-9K12A-NA - Power Cord, 125VAC 13A NEMA 5-15
Plug, North America ---
2 C9K-F1-SSD-
BLANK - Cisco pluggable SSD storage ---
2 C9500-DNA-
24Y4C-A Yes C9500 DNA Advantage, Term License ---
2 C9500-DNA-L-A-
3Y - Cisco Catalyst 9500 DNA Advantage 3
Year License 36
6 PI-LFAS-T Yes Prime Infrastructure Lifecycle &
Assurance Term - Smart Lic ---
6 PI-LFAS-AP-T-3Y - PI Dev Lic for Lifecycle & Assurance
Term 3Y 36
2 NETWORK-PNP-
LIC Yes Network Plug-n-Play Connect for zero-
touch device deployment ---
Traffic Switches off 9500's (replace 6500 line cards)
2 C9300L-48P-4X-
E
- Catalyst 9300L 48p PoE, Network
Essentials ,4x10G Uplink ---
2 CON-SNT-
C93004X4P - SNTC-8X5XNBD Catalyst 9300L 48p P 36
2 PWR-C1-
715WAC-P - 715W AC 80+ platinum Config 1 Power
Supply ---
2 S9300LUK9-1612 - Cisco Catalyst 9300L XE 16.12
UNIVERSAL ---
2 PWR-C1-
715WAC-P/2 - 715W AC 80+ platinum Config 1
Secondary Power Supply ---
4 CAB-TA-NA - North America AC Type A Power Cable ---
6 FAN-T2 - Cisco Type 2 Fan Module ---
2 C9300L-SSD-
NONE - No SSD Card Selected ---
4 C9300L-STACK-
BLANK - Catalyst 9300L Blank Stack Module ---
2 C9300L-NW-E-48 Yes C9300L Network Essentials, 48-port
license ---
2 C9300L-DNA-E-
48 Yes C9300L Cisco DNA Essentials, 48-port
license ---
2 C9300L-DNA-E-
48-3Y - C9300L Cisco DNA Essentials, 48-port,
3 Year Term license 36
2 NETWORK-PNP-
LIC Yes Network Plug-n-Play Connect for zero-
touch device deployment ---
TMC FTD to TMC 9500 Core
4 SFP-H10GB-
CU2M=
- 10GBASE-CU SFP+ Cable 2 Meter ---
TMC 9500 Stackwise Dual Active Core
2 SFP-H10GB-
CU1M=
- 10GBASE-CU SFP+ Cable 1 Meter ---
TMC 9500 Stackwise VSL for 9500 Core
2
QSFP-100G-
CU1M=
- 100GBASE-CR4 Passive Copper
Cable, 1m ---
10G Copper for Firewall 10G, HQ access switches to core
12
SFP-H10GB-
CU3M=
- 10GBASE-CU SFP+ Cable 3 Meter ---
16.A.12.c
Packet Pg. 359 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Internet hand off to Core
8
GLC-TE= - 1000BASE-T SFP transceiver module
for Category 5 copper wire ---
2 R-ISE-VMS-K9= - Cisco ISE Virtual Machine Small ---
2
CON-ECMUS-
RISEV9SM - SOLN SUPP SWSS Cisco ISE Virtual
Machine Small 36
1 L-ISE-BSE-PLIC - Cisco ISE Base License ---
300 L-ISE-BSE-P2 - Cisco ISE Base License - Sessions 250
to 499 ---
300 L-ISE-PLS-LIC= - Cisco ISE Plus License ---
300 L-ISE-PLS-3Y-S2 - Cisco ISE Plus License, 3Y, 250 - 499
Sessions 36
2
L-ISE-TACACS-
ND=
- Cisco ISE Device Admin Node License ---
Hub to Core and Hub to IE3K
6
C9500-16X-A - Catalyst 9500 16-port 10Gig switch,
Advantage ---
6
CON-SNT-
C95K16XA - SNTC-8X5XNBD Catalyst 9500 16-por 36
6 C9500-NW-A Yes C9500 Network Stack, Advantage ---
6 S9500UK9-169 - UNIVERSAL ---
6
PWR-C4-
950WAC-R - 950W AC Config 4 Power Supply front
to back cooling ---
6
PWR-C4-
950WAC-R/2 - 950W AC Config 4 Power Supply front
to back cooling ---
12 CAB-TA-NA - North America AC Type A Power Cable ---
6 C9500-NM-
BLANK - Catalyst 9500 network module blank
cover ---
6 C9500-DNA-16X-
A Yes C9500 DNA Advantage, Term licenses ---
6
C9500-DNA-L-A-
3Y - Cisco Catalyst 9500 DNA Advantage 3
Year License 36
18 PI-LFAS-T Yes Prime Infrastructure Lifecycle &
Assurance Term - Smart Lic ---
18 PI-LFAS-AP-T-3Y - PI Dev Lic for Lifecycle & Assurance
Term 3Y 36
6
NETWORK-PNP-
LIC Yes Network Plug-n-Play Connect for zero-
touch device deployment ---
Core 9500-24 to Hub 9500-16X and Hub to Hub 10G w/ Spare (qty 2),
Cisco compatible pricing
30
SFP-10G-ZR-S= - 10GBASE-ZR SFP Module, Enterprise-
Class ---
Traffic Light Switches (rugged)
250
IE-3300-8T2S-E - Catalyst IE3300 with 8 GE Copper and
2 GE SFP, Modular, NE ---
250
PWR-IE50W-AC-
IEC - AC Power Module w/ IEC Plug ---
250 IE3300-DNA-E Yes Cisco DNA Essentials license for
IE3300 Series ---
250 IE3300-DNA-E-3Y - IE 3300 DNA Essentials, 3 Year Term
license 36
Traffic Light Switches (rugged) Additional Ports
250
IEM-3300-8T= - Catalyst IE3300 with 8 GE Copper
ports, Expansion Module ---
16.A.12.c
Packet Pg. 360 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Optics for traffic lights and inter traffic lights, IE3K to IE3K w/ Spares
(10 spare), Cisco compatible pricing
435 GLC-LX-SM-
RGD=
- 1000Mbps Single Mode Rugged SFP ---
Hub to Traffic Lights IE3K to 9500-16X w/ Spare (qty 4), Cisco
compatible pricing
20 GLC-ZX-SM-
RGD=
- 1000BASE-ZX Single Mode
RuggedSFP ---
BOCC Switch
1
C9300L-24T-4X-E - Catalyst 9300L 24p data, Network
Essentials ,4x10G Uplink ---
1
CON-SNT-
C92TXEL0 - SNTC-8X5XNBD Catalyst 9300L 24p
data, Network Essenti 36
1 S9300LUK9-1612 - Cisco Catalyst 9300L XE 16.12
UNIVERSAL ---
1
PWR-C1-
350WAC-P - 350W AC 80+ platinum Config 1 Power
Supply ---
1
PWR-C1-
350WAC-P/2 - 350W AC 80+ platinum Config 1
Secondary Power Supply ---
2 CAB-TA-NA - North America AC Type A Power Cable ---
3 FAN-T2 - Cisco Type 2 Fan Module ---
1 SSD-120G - Cisco pluggable USB3.0 SSD storage ---
1 C9300L-NW-E-24 Yes C9300L Network Essentials, 24-port
license ---
1
C9300L-DNA-E-
24 Yes C9300L Cisco DNA Essentials, 24-port
license ---
1
C9300L-DNA-E-
24-3Y - C9300L Cisco DNA Essentials, 24-port,
3 Year Term license 36
1 C9300L-STACK-
KIT - Cisco Catalyst 9300L Stacking Kit ---
2 C9300L-STACK - Catalyst 9300L Stack Module ---
1 STACK-T3-50CM - 50CM Type 3 Stacking Cable for
C9300L ---
1
NETWORK-PNP-
LIC Yes Network Plug-n-Play Connect for zero-
touch device deployment ---
City of Naples
3
C9200L-24T-4X-E - Catalyst 9200L 24-port data, 4 x 10G
,Network Essentials ---
3
CON-SSSNT-
C920L24X - SOLN SUPP 8X5XNBD Catalyst 9200L
24-port data, 4 x 10G ,Ne 36
3 C9200L-NW-E-24 Yes C9200L Network Essentials, 24-port
license ---
3
PWR-C5-
125WAC/2 - 125W AC Config 5 Power Supply -
Secondary Power Supply ---
6 CAB-TA-NA - North America AC Type A Power Cable ---
3
C9200L-DNA-E-
24 Yes C9200L Cisco DNA Essentials, 24-port
Term license ---
3
C9200L-DNA-E-
24-3Y - C9200L Cisco DNA Essentials, 24-port,
3 Year Term license 36
3 C9200L-STACK-
KIT - Cisco Catalyst 9200L Stack Module ---
6 C9200-STACK - Catalyst 9200 Stack Module ---
3 STACK-T4-50CM - 50CM Type 4 Stacking Cable ---
16.A.12.c
Packet Pg. 361 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
3
NETWORK-PNP-
LIC Yes Network Plug-n-Play Connect for zero-
touch device deployment ---
Naples optics
20 GLC-LX-SM-
RGD=
- 1000Mbps Single Mode Rugged SFP ---
Proposed Core Switches
Currently the County has a 6509 switch that was provided to them by the BOCC agency. It went End of
sale in 2015. Which was purchased in March 2009. Cisco is proposing dual 9500 switches with 9300
switches. The 9300 switches will replace the current copper blades in the chassis solution. Dual 9500
and dual 9300 will eliminate a single point of failure, which is the current risk facing the county due to
only having a single core switch. Along with end of support risks.
Overview of the 9500 specifications:
C9500-24Y4C- is a Cisco Catalyst 9500 Series high performance 24-port 1/10/25G switch. The Cisco
Catalyst 9500 Series Switches are the next generation of enterprise-class core and aggregation layer
switches, supporting full programmability and serviceability. Based on an x86 CPU, the Catalyst 9500
Series is Cisco's lead purpose-built fixed core and aggregation enterprise switching platform, built for
security, IoT, and cloud. The Catalyst 9500 Series is the industry's first purpose-built 40 Gigabit Ethernet
line of switches targeted for the enterprise campus.
Device Type Switch – 24 ports – L3 – managed – stackable
Enclosure Type Rack-mountable 1U
Jumbo Frame Support 9198 bytes
Subtype 25 Gigabit Ethernet
Remote Management Protocol SNMP 1, RMON 1, RMON 2, SNMP 3, SNMP 2c, NETCONF, RESTCONF
Performance Switching capacity (full duplex): 1.6 Tbps ¦ Forwarding rate: 1 Bpps
Ports 24 x 25 Gigabit SFP28
Routing Protocol OSPF, RIP-1, RIP-2, BGP, EIGRP, IGMP, VRRP, MSDP, policy-based routing (PBR), RIPng
Status Indicators Status
MAC Address Table Size 64K entries
Encryption Algorithm 256-bit AES
Built-in Devices RFID tag
Flash Memory 16 GB
RAM 16 GB
Expansion / Connectivity-
Interfaces 24 x 25Gbit LAN SFP28 ¦ 4 x 100Gbit LAN ¦ 2 x USB 3.0
Software / System Requirements-
Software Included Cisco IOS XE 16.8.1
Cisco Unified Access™ Data Plane (UADP) Application-Specific Integrated Circuit (ASIC) ready for next-
16.A.12.c
Packet Pg. 362 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
generation technologies with its programmable pipeline, microengine capabilities, and template-
based, configurable allocation of Layer 2 and Layer 3 forwarding, Access Control Lists (ACLs), and
Quality-of-Service (QoS) entries
● Intel® 2.4-GHz x86 CPU with up to 120 GB of USB 3.0 or up to 960 GB of SATA SSD storage for
container-based application hosting
● Up to 6.4-Tbps switching capacity with up to 2 Bpps of forwarding performance
● Up to 32 nonblocking 100 Gigabit Ethernet QSFP28 ports
● Up to 32 nonblocking 40 Gigabit Ethernet QSFP+ ports
● Up to 48 nonblocking 25 Gigabit Ethernet SFP28 ports
● Up to 48 nonblocking 10 Gigabit Ethernet SFP+ ports
● Platinum-rated AC/DC power supplies
● Up to 512,000 Flexible NetFlow (FNF) entries in hardware
● Up to 36 MB of unified buffer per ASIC
● Up to 212,000 routing entries (IPv4/IPv6) for high-end campus core and aggregation deployments
● IPv6 support in hardware, providing wire-rate forwarding for IPv6 networks
● IEEE 802.1ba AV Bridging (AVB) built in to provide a better AV experience through improved time
synchronization and QoS
● Precision Time Protocol (PTP; IEEE 1588v2) provides accurate clock synchronization with sub-
microsecond accuracy, making it suitable for distribution and synchronization of time and frequency
over the network
● Dual-stack support for IPv4/IPv6 and dynamic hardware forwarding table allocations, for ease of
IPv4-to-IPv6 migration
● Support for both static and dynamic NAT and Port Address Translation (PAT)
● Scalable routing (IPv4, IPv6, and multicast) tables and Layer 2 tables
Product Code C9500-24Y4C-E
Description Cisco Catalyst 9500 Series high performance 24-port 1/10/25G switch, NW Ess. License
Switching capacity Up to 1.6 Tbps
Forwarding rate Up to 1 Bpps
DRAM 16 G
Flash 16 G
Dimensions (H x W x D) 1.73 x 17.5 x 18.0 in
Rack units (RU) 1RU
16.A.12.c
Packet Pg. 363 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
The 9300 series switches -proposed replacement for the 48 port blades
C9300L-48P-4X-
The Cisco® Catalyst® 9300 Series switches are Cisco's lead stackable enterprise switching platform built
for security, IoT, mobility, and cloud. They are the next generation of the industry's most widely
deployed switching platform. Catalyst 9300 Series switches form the foundational building block for
Software-Defined Access (SD-Access), Cisco's lead enterprise architecture. At up to 480 Gbps, they are
the industry's highest-density stacking bandwidth solution with the most flexible uplink architecture.
The Catalyst 9300 Series is designed for Cisco StackWise® technology, providing flexible deployment
with support for nonstop forwarding with Stateful Switchover (NSF/SSO), for the most resilient
architecture in a stackable (sub-50-ms) solution. The highly resilient and efficient power architecture
features Cisco StackPower®, which delivers high-density Cisco Universal Power over Ethernet (Cisco
UPOE®) and Power over Ethernet Plus (PoE+) ports. The switches are based on the Cisco Unified
Access™ Data Plane 2.0 (UADP) 2.0 architecture which not only protects your investment but also
allows a larger scale and higher throughput. A modern operating system, Cisco IOS® XE with
programmability offers advanced security capabilities and Internet of Things (IoT) convergence.
The 9300 series supports a network fabric that integrates advanced hardware and software innovations
to automate, secure, and simplify customer networks. The goal of this network fabric is to enable
customer revenue growth by accelerating the rollout of business services.
The Cisco Digital Network Architecture (Cisco DNA) with Software-Defined Access (SD-Access) is the
network fabric that powers business. It is an open and extensible, software-driven architecture that
accelerates and simplifies your enterprise network operations. The programmable architecture frees
your IT staff from time-consuming, repetitive network configuration tasks so they can focus instead on
innovation that positively transforms your business. SD-Access enables policy-based automation from
edge to cloud with foundational capabilities. These include:
• Simplified device deployment
• Unified management of wired and wireless networks
• Network virtualization and segmentation
• Group-based policies
• Context-based analytics
16.A.12.c
Packet Pg. 364 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Resiliency and high availability
● StackWise-480: Cisco Catalyst 9300 Series modular uplink models (C9300 SKUs) support the
industry’s highest back-panel stacking bandwidth solution (480 Gbps) with StackWise-480. Up to 8
Switches can be configured in a Stackwise-480 with the special connector at the back of the switch
using dedicated stack cables.
● StackWise-320: The Cisco Catalyst 9300 Series fixed uplink models (C9300L SKUs) support stacking
bandwidth solution (320 Gbps) with StackWise-320. Up to 8 Switches can be optionally configured in
a Stackwise-320 with the special Stack Kit at the back of the switch using dedicated stack cables.
● Cisco StackPower: Cisco StackPower is an innovative power interconnect system that allows the
power supplies in a stack to be shared as a common resource among all the switches. This allows
you to simply add one extra power supply in any switch of the stack and either provide power
redundancy for any of the stack members or simply add more power to the shared pool. Up to 4
switches can be configured in a StackPower stack with the special connector at the back of the
16.A.12.c
Packet Pg. 365 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
switch. However, with the use of XPS-2200 appliance, up to 9 switches can be configured in the
StackPower stack.
High availability: The Catalyst 9300 Series supports high-availability features, including the following:
◦ Cross-stack EtherChannel provides the ability to configure Cisco EtherChannel technology across
different members of the stack for high resiliency.
◦ IEEE 802.1s Multiple Spanning Tree Protocol (MSTP) provides rapid spanning tree convergence
independent of spanning tree timers and also offers the benefit of Layer 2 load balancing and
distributed processing.
◦ Per-VLAN Rapid Spanning Tree (PVRST+) allows rapid spanning tree (IEEE 802.1w) re-convergence
on a per-VLAN spanning tree basis, providing simpler configuration than MSTP. In both MSTP and
PVRST+ modes, stacked units behave as a single spanning tree node.
◦ Switch-port auto-recovery (“err-disable” recovery) automatically attempts to reactivate a link that
is disabled because of a network error.
◦ The Catalyst 9300 Series platform delivers the best NSF/SSO resiliency architecture in a stackable
solution with sub-50-ms failover.
The proposed replacements for Hub switches
C9500-16X-A
C9500-16X-A is a Catalyst 9500 16-port 10Gig switch, with Network Advantage. The Cisco Catalyst 9500
Series Switches are the next generation of enterprise-class core and aggregation layer switches,
supporting full programmability and serviceability. Based on an x86 CPU, the Catalyst 9500 Series is Cisco's
lead purpose-built fixed core and aggregation enterprise switching platform, built for security, IoT, and
cloud. The Catalyst 9500 Series is the industry's first purpose-built 40 Gigabit Ethernet line of switches
targeted for the enterprise campus.
Product Code: C9500-16X-A
Description: Catalyst 9500 16-port 10Gig switch, with Network Advantage
Switching capacity: Up to 240 Gbps
Forwarding rate: Up to 360 Mpps
DRAM: 16 G
Flash: 16 G
Dimensions (H x W x D): 1.73 x 17.5 x 21.52 in
Rack units (RU): 1 RU
The proposed replacement for the EOC switch
C9300L-24T-4X-E Catalyst 9300 24-port fixed uplinks data only, 4X10G uplinks,
16.A.12.c
Packet Pg. 366 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
The proposed Intersection switches IE3300
Cisco Catalyst IE3300 Rugged Series switches deliver high-speed Gigabit Ethernet connectivity in a
compact form factor and are designed for a wide range of industrial applications where hardened
products are required. The modular design of the Cisco Catalyst IE3300 Rugged Series offers the flexibility
to expand to up to 26 ports of Gigabit Ethernet with a range of expansion module options. The platform
is built to withstand harsh environments in manufacturing, energy, transportation, mining, smart cities,
and oil and gas. The IE3300 platform is also ideal for extended enterprise deployments in outdoor spaces,
warehouses, and distribution centers. The IE3300 series (with expansion module) supports power budget
of up to 360W for PoE/PoE+, shared across 24 ports, and is ideal for connecting PoE-powered end devices
such as IP cameras, phones, wireless access points, sensors, and more.
16.A.12.c
Packet Pg. 367 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
16.A.12.c
Packet Pg. 368 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
All proposed switches are built on the new IOS XE operating system
These switches run Cisco IOS® XE, a next-generation operating system with built-in security and trust,
featuring secure boot, image signing, and the Cisco® Trust anchor module. Cisco IOS XE also provides API-
driven configuration with open APIs and data models.
● Automated device provisioning is the ability to automate the process of upgrading software images and
installing configuration files on Cisco Catalyst switches when they are being deployed in the network for
the first time. Cisco provides both turnkey solutions such as Plug and Play and off-the-shelf tools such as
Zero-Touch Provisioning (ZTP) and Preboot Execution Environment (PXE) that enable an effortless and
automated deployment.
● API-driven configuration is available with modern network switches such as the Cisco Catalyst 9300
Series. It supports a wide range of automation features and provides robust open APIs over NETCONF and
16.A.12.c
Packet Pg. 369 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
RESTCONF and GNMI using YANG data models for external tools, both off-the-shelf and custom built, to
automatically provision network resources.
● Granular visibility enables model-driven telemetry to stream data from a switch to a destination. The
data to be streamed is identified through subscription to a data set in a YANG model. The subscribed data
set is streamed to the destination at specified intervals. Additionally, Cisco IOS XE enables the push model.
It provides near-real-time monitoring of the network, leading to quick detection and rectification of
failures.
● Seamless software upgrades and patching supports OS resilience. Cisco IOS XE supports patching, which
provides fixes for critical bugs and security vulnerabilities between regular maintenance releases. This
support lets you add patches without having to wait for the next maintenance release
Security
● Encrypted Traffic Analytics (ETA) is a unique capability for identifying malware in encrypted traffic
coming from the access layer. Since more and more traffic is becoming encrypted, the visibility this feature
affords for threat detection is critical for keeping your network secure at different layers.
● AES-256 MACsec encryption is the IEEE 802.1AE standard for authenticating and encrypting packets
between switches. The Cisco Catalyst 9300 Series switches support 256-bit and 128-bit Advanced
Encryption Standard (AES), providing the most secure link encryption.
● Trustworthy solutions built with Cisco Trust Anchor Technologies provide a highly secure foundation for
Cisco products. With the Catalyst 9300 Series, these technologies enable hardware and software
authenticity assurance for supply chain trust and strong mitigation against man-in-the-middle attacks that
compromise software and firmware. Trust Anchor capabilities include:
◦ Image signing: Cryptographically signed images provide assurance that the firmware, BIOS, and other
software are authentic and unmodified. As the system boots, the system’s software signatures are
checked for integrity.
◦ Secure Boot: Cisco Secure Boot technology anchors the boot sequence chain of trust to immutable
hardware, mitigating threats against a system’s foundational state and the software that is to be loaded,
regardless of a user’s privilege level. It provides layered protection against the persistence of illicitly
modified firmware.
◦ Cisco Trust Anchor module: A tamper-resistant, strong cryptographic, single-chip solution provides
hardware authenticity assurance to uniquely identify the product so that its origin can be confirmed to
Cisco. This provides assurance that the product is genuine
Audio Video Bridging (AVB)
Starting with Cisco IOS XE Software Release 16.8, the Cisco Catalyst 9300 Series supports the IEEE 802.1
AVB standard. This standard provided the means for highly reliable delivery of low-latency, time-
synchronized audio and video streaming services through Layer 2 Ethernet networks. The standard also
makes it easier to integrate new services and for AV equipment from different vendors to interoperate.
Benefits
● Improves quality of experience by lowering jitter and latency for time-synchronized delivery of high-
quality AV.
● Provides scalability of applications across networked deployments, including expansive and complex AV
infrastructure.
● Lowers Total Cost of Ownership (TCO) with reduced cabling (lowers CapEx) and no license fees (lowers
OpEx).
16.A.12.c
Packet Pg. 370 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Proposed Firewalls/VPN Access/RADIUS Server
The Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver
business resiliency through superior threat defense. It offers exceptional sustained performance when
advanced threat functions are enabled. These platforms uniquely incorporate an innovative dual
multicore CPU architecture that optimizes firewall, cryptographic, and threat inspection functions
simultaneously. The series’ firewall throughput range addresses use cases from the Internet edge to the
data center. Network Equipment Building Standards (NEBS)-compliance is supported by the Cisco
Firepower 2100 Series platform.
Features and benefits
Threat-focused NGFW
Improve business resiliency and maintain performance with superior threat defense. Apply granular
application control. Protect against malware. Shrink time to detection and remediation. Reduce
complexity with the on-device management interface.
Optimized performance and port density
Firewall throughput speeds from 2 Gbps to 8.5 Gbps. Support for sixteen (16) 1 GE ports on the low-end
models. The high-end models support up to twenty-four (24) 1 GE ports or up to twelve (12) 10 GE ports.
All in a 1RU form factor.
Innovative architecture
With its unique dual-CPU, multicore architecture, the 2100 maintains throughput performance when
threat inspection is activated by routing different workloads to different chips. And enabling the threat
protection features does not affect the firewall throughput.
Integration adds value
Further strengthen your defenses. Share intelligence, context, and policy controls by integration with
third-party and other Cisco security solutions. Enable automatic device quarantining and rapid threat
containment with Cisco ISE.
Management to meet your needs
Cisco Firepower NGFW is now even less time-consuming to configure and less costly to manage. You can
choose from local, centralized, and cloud-based managers that fit your environment and the way you
work.
Cisco Firepower Management Center
This is your administrative nerve center for managing critical Cisco network security solutions. It provides
complete and unified management over firewalls, application control, intrusion prevention, URL filtering,
and advanced malware protection. Easily go from managing a firewall to controlling applications to
investigating and remediating malware outbreaks.
Security automation
The management center automatically correlates security events with the vulnerabilities in your
environment. It prioritizes attacks so your team can easily see which events they need to investigate first.
And it recommends the security policies to put in place.
Threat Intelligence Director
16.A.12.c
Packet Pg. 371 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Using open industry-standards interfaces, Threat Intelligence Director ingests intelligence from multiple
sources. It then facilitates the appropriate monitoring and containment actions. It correlates observations
with third-party sources to reduce the total number of alerts you need to review.
16.A.12.c
Packet Pg. 372 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
16.A.12.c
Packet Pg. 373 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Firepower Threat Defense Remote Access VPN Overview (Anyconnect)
Firepower Threat Defense provides secure gateway capabilities that support remote access SSL and IPsec-
IKEv2 VPNs. The full tunnel client, AnyConnect Secure Mobility Client, provides secure SSL and IPsec-IKEv2
connections to the security gateway for remote users. AnyConnect is the only client supported on
endpoint devices for remote VPN connectivity to Firepower Threat Defense devices. The client gives
remote users the benefits of an SSL or IPsec-IKEv2 VPN client without the need for network administrators
to install and configure clients on remote computers. The AnyConnect mobile client for Windows, Mac,
and Linux is deployed from the secure gateway upon connectivity. The AnyConnect apps for Apple iOS
and Android devices are installed from the platform app store.
16.A.12.c
Packet Pg. 374 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
Use the Remote Access VPN Policy wizard in the Firepower Management Center to quickly and easily set
up SSL and IPsec-IKEv2 remote access VPNs with basic capabilities. Then, enhance the policy configuration
if desired and deploy it to your Firepower Threat Defense secure gateway devices.
Remote Access VPN Features
The following section describes the features of Firepower Threat Defense remote access VPN:
SSL and IPsec-IKEv2 remote access using the Cisco AnyConnect Secure Mobility Client.
Firepower Management Center supports all combinations such as IPv6 over an IPv4 tunnel.
Support for Firepower Management Center
Cisco ISE-Identity Services Engine (recommended product for RADIUS server)
Getting ahead of threats requires thorough visibility and control. That means having deep visibility into
the users, devices, and applications accessing your network. And it means gaining the dynamic control
to make sure that only the right people with trusted devices get the right level of access to
network services.
ISE simplifies the delivery of consistent, highly secure access control across wired, wireless, and VPN
connections. With far-reaching, intelligent sensor and profiling capabilities, ISE can reach deep into the
network to deliver superior visibility into who and what are accessing resources. Through the device
profiler feed service, ISE delivers automatic updates of Cisco’s validated device profiles for various IP-
enabled devices from multiple vendors which simplifies the task of keeping an up-to-date library of the
newest IP enabled devices.
ISE can implement Cisco TrustSec® policy for software-defined segmentation, which transforms the
network from a simple conduit for data into a security enforcer that accelerates the time to detection and
mitigates threats
16.A.12.c
Packet Pg. 375 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
16.A.12.c
Packet Pg. 376 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
The Proposed Solution addresses the concerns of the Metric Consulting Discovery and
Recommendations document along providing the foundation for the future smart city/smart connected
intersections design and onboarding of Internet of Things (IoT) technologies and Connected and
Automated Vehicles (CAV).
• Refreshing all hardware devices to replace all of end of sale/end of support hardware-reducing
the risk of downtime of unsupported hardware
• It also addresses their comment “Due to the switches being at the end of life, if either
experienced a hardware failure, the City of Naples will not receive support or a replacement
switch”
• Delivering a single manufacturer platform addressing the issue of having “different types of
switch manufacturers can potentially have interoperability issues and the County could have
possible maintenance issues by having to stock replacement equipment from two different
manufacturers”
• It also addresses their comment “The Layer 2 field rings are comprised of multiple switch
vendors such as Cisco 2955 and RuggedCom RS900G switches. In some cases, various vendors
implement Layer 2 protocols differently, which causes compatibility issues between the
switches and cause network disruptions”
• Cisco ISE provides the centralized network access policy management console that delivers the
requirements for a RADIUS server and provide user credentials and access to the devices and
network locations. Along with defining user profiles (guest/admin/network user), rights, end
point device types and user groups
• The Proposed core switches and firewalls will be redundant which addresses their
recommendation of “By having two (2) switches and non-redundant connection at the core
routers, this equipment configuration can cause a single point of failure and potential network
failure, due to all routing occurs at the TMC location.”
• Along meeting the requirement of “future expansion if needed” each above section details the
expansion-ability and scalability of the proposed hardware.
Addressing the concerns and recommendations of redesigning of the current network design.
Redesign includes revising the current Layer 2 and Layer 3 VLAN segmentation.
Advantages of network segmentation directly decreases the number of systems on the same network
segment and reduces the broadcast domain, thus reducing device network processing and malicious
reconnaissance. By limiting routed traffic to segments, the overall bandwidth usage in the LAN is
reduced.
• The propagation of network worms such as WannaCry and NotPetya over a shared protocol
such as SMB is not limited on a flat network as it would be on a segmented network.
• Segmentation aids compliance by separating zones that contain data with similar requirements
whilst ensuring that systems holding sensitive data are kept isolated.
• Network segmentation enables segregation of systems by end-user category groups with
facilitation of access control policy at the ingress/egress points. This granulation of security
policy can be implemented over time with ACLs at the zone gateway or Firewalls that control
the flow for large segments.
• Often network segmentation projects can be run with current network equipment.
16.A.12.c
Packet Pg. 377 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
• Facilitate the addition of an untrusted VLAN for ISE Policy enforcement. The ISE solutions allow
network operators to define policies for enforcement, such as the types of computers or roles of
users allowed to access areas of the network. This is then enforced using switches, routers, and
firewalls. Implementing an untrusted VLAN segment can protect the network from non-
compliant and/or unknown systems.
Proposed approach to network design revisions (insert points from Jason scope of work)
Final thoughts
The budgetary engineers cost estimate provided by Matrix stated that “Manufacturer Suggested Retail
Price (MSRP) for budgetary purposes.” Although in researching the pricing provided was not accurate,
we had no other choice but to work within the money allocated. The other items to consider that the
following products are discontinued
Cisco ASA5500 series firewall (recommended replacement is the Firepower 2130)
Cisco 6509 core switch (Cisco Catalyst 9500 and 9300 series)
Cisco 2960L is still available but recommended to utilize the 9200 series platform
Juniper RADIUS server (recommended replacement Cisco Identity Services Engine (ISE) )
The ITS Express 8012-24 port Switches are still available but there are very entry level switches with
limited management capabilities and scalability. It also contradicts their mention of the risks of utilizing
multiple manufacturer device platforms within a single network infrastructure. Recommended
replacement is the Cisco IE3300 ruggedized switches.
Benefits of a single manufacturer and partner for Network Equipment and design strategy
Cisco is the industry leader across the board in many technologies such as networking, security, wireless
and collaboration. From a business decision maker and network manager the ease of vendor
management (single point of contact for sales support for your entire network environment), from
network operations management console the ability to maintain and monitor all of your Cisco products
with the DNA platform (a single pane of glass for all Cisco Devices ) and avoiding the learning challenges
of maintaining a multiple manufacturer infrastructure- and all devices proposed utilizes the same
operating system for all network devices (IOS-XE).
The only manufacturer that provides a comprehensive product portfolio that provides a solution for
every layer of the network. Core, edge, remote sites, intersection switches, security, network
management, and network access management and policy
The proposed solution provides the foundation for the existing environment and ability to scale to
support a smart city and connected vehicle design.
16.A.12.c
Packet Pg. 378 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)
16.A.12.c
Packet Pg. 379 Attachment: 435013-1 Collier Traffic Overview of Proposed Solution (11173 : 435013-1 ITS Integrate Standardize Network Communications)