Dan Brody Chief Information and Technology Officer CITO

Healthcare Vertical Networking Overview

The following sections describe the key considerations for the Healthcare Vertical.


The healthcare system needs to protect patient personal medical records and financial information. Securityrich features such as dot1x, MAB, Guest-access (centralized) , CISF (Catalyst Integrated Security Features), and Cisco TrustSec (CTS) are deployed to provide identity-based services securely.

Network Services

The healthcare system must enable traditional and specialized resources in order to provide reliable access and faster delivery of electronic medical records (EMRs), electronic health records (EHRs), and medical and diagnostic lab reports needed for the collaborated care services. Network services such as video delivery and Quality of Experience with Custom QoS and Auto QoS are deployed to allow collaborated care services between lab, doctors, nurses, caregivers, and patient facilities.

Network Virtualization

Optimizing the existing network using technologies such as VRF-Lite, GRE, and Private VLAN helps in effective IP address use, as well as providing the required network segmentation to meet some of the healthcare system’s needs, such as VPN, Guest access, and isolating DMZ servers from each other.

Effective Network Management

Network administrators should be able to efficiently manage and monitor their networks to quickly respond to the dynamic needs of the healthcare system. The administrators could use Cisco-provided tools such as Cisco Prime Infrastructure and WebUI to quickly deploy, manage, monitor, and troubleshoot the end-to-end network.

System & Network Resiliency

The healthcare system and hospital emergency departments cannot afford to have larger downtimes, which calls for strict system and network level resiliency. Stack HA, EtherChannel link-level resiliency, Virtual Switching System (VSS), and First-Hop Redundancy Protocol (FHRP) help in meeting such demands at different levels of the network.

Deployment areas Features
Security Dot1x, MAB, CISF, ACL, guest access, Cisco TrustSec
Network services Multicast, QoS, AutoQoS
Network virtualization VRF-Lite (Virtual Routing and Forwarding), Generic Routing Encapsulation (GRE), Private-VLAN
Efficient network management  Cisco Prime Infrastructure, WebUI, Zenoss
System & network resiliency  EtherChannel, Stack HA, FHRP, VSS


Network Profile

The Healthcare Vertical Profile is designed with the three tier architecture with Hybrid (L2/L3) access.


Site-1 (the left-portion of the topology) represents a block of a Hospital deployment where a Cisco Catalyst 3850 and 3650 are deployed in access layer. The 3850 in the distribution layer is 10G.

Site-2 (the middle portion of the topology) represents another block of the Hospital deployment, where a 3850and 3650 are in the access layer and a 4500 is in the distribution layer.

Site-3 (the right portion of the topology) represents another block of Hospital deployment with Cat4KSUP7E/7LE, 2960X, and 3560CX in the access layer and a Catalyst 4500 in the distribution layer. All sites use common Cat6500 in the core layer. Based on the size of the campus, its geographical location and user-scale, there might be more distribution switches connecting to the core layer.

Table below describes the use cases that were executed on the Healthcare Vertical Profile. These Use cases are divided into buckets of technology areas to show the complete coverage of the deployment scenarios.

These technology buckets are composed of system upgrade, security, optimizing network & traffic, network services, monitoring & troubleshooting, simplified management, and system health monitoring, along with system and network resiliency.

No. Focus Area Use Cases
System Upgrade
1 Upgrade
Network administrator should be able to perform switch upgrade and
downgrade between releases seamlessly.

  • All of the configuration should be migrated seamlessly during the
    upgrade/downgrade operation
  • SW Install, Clean, Expand, Archive Download
Network admin to secure the L2 access against MITM, DOS attacks using
the CISF (Cisco Integrated Security Features)

  • PortSecurity, IPSG, DAI, DHCP snooping
Network admin to deploy input/output PACL, RACL and VACL with large
number of ACEs for various traffic patterns (IPv4)
4 IBNS 2.0 Mode
Network admin wants to deploy endpoint/end-user security using MAB/
Dot1x with IBNS 2.0 Mode (eEdge/new-style).

  • PC behind the Phone: AuthC > Dot1x for the PC and MAB for the Phone, Host mode : Multi-Domain
  • Dot1x, MAB: PCs, Phones. Host Mode: Single Host, Multi-Host, Multi-Auth
  • AuthZ : dACL, Dynamic VLAN
  • Clients spread across open, closed and low impact modes
  • Critical VLAN
  • Re-authentication timers
5 Auth-Manager Mode
Network admin wants to deploy end-point/end-users security using MAB/
Dot1x with Auth-Manager Mode (legacy)

  • PC behind the Phone: AuthC > Dot1x for the PC and MAB for the Phone, Host Mode : Multi-Domain
  • Dot1x, MAB: PCs, Phones. Host mode: Single Host, Multi-Host, Multi-Auth
  • AuthZ : dACL, Dynamic VLAN
  • Clients spread across open, closed and low impact modes
  • Critical VLAN
  • Re-authentication timers
6 Guest-Access
Network admin wants to provide temporary guest access CWA

  • CWA—Self Register Guest Portal
Network Virtual
7 VRF-Lite
Network admin to provide VPN connectivity and optimize the use of IP
address, using the VRF-Lite

  • VRF routing using overlapped IP addresses
Network admin to provide logical isolation between the VPNs and share
dedicated network resources using GRE to provide Guest and Partner

  • Path Isolation between the VPNs using GRE tunnels
9 Private VLAN
Network admin to deploy Private VLAN for efficient IP address aggregation

  • Primary VLAN, Secondary VLAN
  • Isolate port, Community port, Promiscuous port on the physical interface depending on the connected endpoints
Network Services
 10  Multicast Video (Access/Distribution)  Network admin wants to enable and deploy multicast services.

  • V4 & V6 Multicast
  • L2/L3 Multicast video delivery using PIM-SM, PIM-SSM, IGMP/MLD Snooping
  • PIM-SM with static RP, auto-RP, PIM-SSM with static RP
 11  QoS (Access/Distribution) Network admin needs to enhance user experience by ensuring traffic and application delivery using custom QoS policies for trusted/untrusted interfaces.

  • Traffic types: VOIP, Video, Call Control, Transactional Data, Bulk Data, Scavenger
  • Policing Ingress and Priority & BW Management in Egress
  • AutoQoS on certain ports that are connected to endpoints
 Monitoring & Troubleshooting
 12  NetFlow (Access/Distribution)  Enable IT admins to determine network resource usage and capacity planning by monitoring L2/IPv4 traffic flows using Flexible NetFlow

  • Traffic types: L2, IPv4
  • FNFv9, IPFIX-v10
  • Prime Collector
  Simplified Management
 13  Prime-ManageMonitor  Network admin wants to manage and monitor all the devices in the network using Cisco Prime Infrastructure
 14  Prime-SWIM  Network admin should be able to manage images on network devices using Cisco Prime Infrastructure for upgrade/downgrade.
15 Prime-Template  Network admin wants to configure deployment using Cisco Prime Infrastructure.

  • Import and deploy customer specific configuration templates.
  • Schedule configuration for immediate or later deployment.
  • Simplify configuration using config-templates
16 Prime-Troubleshooting  Simple network troubleshooting and debugging for IT admins

  • Monitor & troubleshoot end-end deployment via maps & topologies
  • Monitor network for alarms, syslogs, and traps
  • Troubleshoot network performance using traffic flow monitoring
System Health Monitoring
 17  System Health (Access/Distribution) Monitor system health for CPU usage, memory consumption, and memory leaks during longevity
System & network resiliency, robustness
 18 System Resiliency (Access/Distribution)  Verify system level resiliency during the following events:

  • Active switch failure
  • Standby/Member switch failure
  • EtherChannel member link flaps
19 Network Resiliency (Access/Distribution)  High availability of the network during system failures using:

20 Typical Deployment Events, Triggers (Access/Distribution) Verify that the system holds well and recovers to working condition after the following events are triggered:

  • Config Changes—Add/Remove config snippets, Default-Interface configs
  • Link Flaps, SVI Flaps
  • Clear Counters, Clear ARP, Clear Routes, Clear access-sessions, Clear multicast routes
  • IGMP/MLD Join, Leaves
%d bloggers like this: