The following sections describe the key considerations for the Healthcare Vertical.
The healthcare system needs to protect patient personal medical records and financial information. Securityrich features such as dot1x, MAB, Guest-access (centralized) , CISF (Catalyst Integrated Security Features), and Cisco TrustSec (CTS) are deployed to provide identity-based services securely.
The healthcare system must enable traditional and specialized resources in order to provide reliable access and faster delivery of electronic medical records (EMRs), electronic health records (EHRs), and medical and diagnostic lab reports needed for the collaborated care services. Network services such as video delivery and Quality of Experience with Custom QoS and Auto QoS are deployed to allow collaborated care services between lab, doctors, nurses, caregivers, and patient facilities.
Optimizing the existing network using technologies such as VRF-Lite, GRE, and Private VLAN helps in effective IP address use, as well as providing the required network segmentation to meet some of the healthcare system’s needs, such as VPN, Guest access, and isolating DMZ servers from each other.
Effective Network Management
Network administrators should be able to efficiently manage and monitor their networks to quickly respond to the dynamic needs of the healthcare system. The administrators could use Cisco-provided tools such as Cisco Prime Infrastructure and WebUI to quickly deploy, manage, monitor, and troubleshoot the end-to-end network.
System & Network Resiliency
The healthcare system and hospital emergency departments cannot afford to have larger downtimes, which calls for strict system and network level resiliency. Stack HA, EtherChannel link-level resiliency, Virtual Switching System (VSS), and First-Hop Redundancy Protocol (FHRP) help in meeting such demands at different levels of the network.
|Security||Dot1x, MAB, CISF, ACL, guest access, Cisco TrustSec|
|Network services||Multicast, QoS, AutoQoS|
|Network virtualization||VRF-Lite (Virtual Routing and Forwarding), Generic Routing Encapsulation (GRE), Private-VLAN|
|Efficient network management||Cisco Prime Infrastructure, WebUI, Zenoss|
|System & network resiliency||EtherChannel, Stack HA, FHRP, VSS|
The Healthcare Vertical Profile is designed with the three tier architecture with Hybrid (L2/L3) access.
Site-1 (the left-portion of the topology) represents a block of a Hospital deployment where a Cisco Catalyst 3850 and 3650 are deployed in access layer. The 3850 in the distribution layer is 10G.
Site-2 (the middle portion of the topology) represents another block of the Hospital deployment, where a 3850and 3650 are in the access layer and a 4500 is in the distribution layer.
Site-3 (the right portion of the topology) represents another block of Hospital deployment with Cat4KSUP7E/7LE, 2960X, and 3560CX in the access layer and a Catalyst 4500 in the distribution layer. All sites use common Cat6500 in the core layer. Based on the size of the campus, its geographical location and user-scale, there might be more distribution switches connecting to the core layer.
Table below describes the use cases that were executed on the Healthcare Vertical Profile. These Use cases are divided into buckets of technology areas to show the complete coverage of the deployment scenarios.
These technology buckets are composed of system upgrade, security, optimizing network & traffic, network services, monitoring & troubleshooting, simplified management, and system health monitoring, along with system and network resiliency.
|No.||Focus Area||Use Cases|
|Network administrator should be able to perform switch upgrade and
downgrade between releases seamlessly.
|Network admin to secure the L2 access against MITM, DOS attacks using
the CISF (Cisco Integrated Security Features)
|Network admin to deploy input/output PACL, RACL and VACL with large
number of ACEs for various traffic patterns (IPv4)
|4||IBNS 2.0 Mode
|Network admin wants to deploy endpoint/end-user security using MAB/
Dot1x with IBNS 2.0 Mode (eEdge/new-style).
|Network admin wants to deploy end-point/end-users security using MAB/
Dot1x with Auth-Manager Mode (legacy)
|Network admin wants to provide temporary guest access CWA
|Network admin to provide VPN connectivity and optimize the use of IP
address, using the VRF-Lite
|Network admin to provide logical isolation between the VPNs and share
dedicated network resources using GRE to provide Guest and Partner
|Network admin to deploy Private VLAN for efficient IP address aggregation
|10||Multicast Video (Access/Distribution)|| Network admin wants to enable and deploy multicast services.
|11||QoS (Access/Distribution)||Network admin needs to enhance user experience by ensuring traffic and application delivery using custom QoS policies for trusted/untrusted interfaces.
|Monitoring & Troubleshooting|
|12||NetFlow (Access/Distribution)|| Enable IT admins to determine network resource usage and capacity planning by monitoring L2/IPv4 traffic flows using Flexible NetFlow
|13||Prime-ManageMonitor||Network admin wants to manage and monitor all the devices in the network using Cisco Prime Infrastructure|
|14||Prime-SWIM||Network admin should be able to manage images on network devices using Cisco Prime Infrastructure for upgrade/downgrade.|
|15||Prime-Template|| Network admin wants to configure deployment using Cisco Prime Infrastructure.
|16||Prime-Troubleshooting|| Simple network troubleshooting and debugging for IT admins
|System Health Monitoring|
|17||System Health (Access/Distribution)||Monitor system health for CPU usage, memory consumption, and memory leaks during longevity|
|System & network resiliency, robustness|
|18||System Resiliency (Access/Distribution)|| Verify system level resiliency during the following events:
|19||Network Resiliency (Access/Distribution)|| High availability of the network during system failures using:
|20||Typical Deployment Events, Triggers (Access/Distribution)||Verify that the system holds well and recovers to working condition after the following events are triggered: