The Cisco Certified network consultants at Praxis Computing can maximize your network

SOUTH BAY BMW ACHIEVES UNMATCHED AVAILABILITY AND SECURITY WITH ITS CISCO NETWORK INSTALLED BY PRAXIS COMPUTING

South Bay BMW needed to guard its network and mission-critical applications against service-affecting fiber cuts and virus outbreaks. By choosing a secure, high-availability network from Cisco, South Bay BMW was able to build the ultimate dealership network.

BUSINESS CHALLENGE

When Hitchcock Automotive relocated its South Bay BMW dealership to accommodate a growing customer base, it moved into the ultimate sales and service facility in Torrance, California. From the beginning, the new facility was designed to be the flagship store for Hitchcock Automotive, including more than 110,000 square feet and 80 enclosed service bays. Hitchcock's corporate headquarters is connected to six dealerships, including South Bay BMW, and the company employs 600 employees who rely on its network.

Rich Morris, vice president of information systems, is solely responsible for the company's networking capabilities. Hitchcock Automotive already had a network from Cisco Systems® and the new South Bay BMW location offered a clean slate for implementing the most current networking features and capabilities.

"My primary concern is application availability," says Morris. "If the network goes down, I have 150 employees at the South Bay BMW dealership who are unable to be productive. For example, if we spend $50,000 to run a weekend promotion and our main application is down, we will lose significant amounts of money." When it was time to build the network for the new facility, Morris insisted that the dealership build in maximum resiliency.

In the past, the most common cause of network downtime was a fiber cut to the local service provider's T1 links. A severed line eliminated the dealership's WAN connection to headquarters and access to its main productivity application. In addition, Ethernet lines strung between multiple buildings made it difficult to create a high-availability, secure LAN. This made the local network susceptible to virus, worm, and spyware attacks, which slowed network performance. Furthermore, viruses and worms that entered the network were able to replicate and spread, making the entire corporate network vulnerable. Morris would often need to hire as many as 12 people to patch 150 systems every time new system patches and security updates became available-as frequently as once or twice a month, costing $5000-6000 each time.

Text Box: I wanted to achieve network availability and security and we have absolutely done thatand more. Rich Morris, Vice President, Information Systems, South Bay BMW, the Hitchcock Automotive Group Without an army of network engineers and information systems staff to rely on, Morris chose to work with Praxis Computing, a Cisco® Premier Partner. The Cisco Premier designation is awarded to independent computer consulting firms that have demonstrated a commitment to technical excellence and continuing education. Membership in the Cisco Premier Partner program provides Praxis Computing with the resources it needs to excel at implementing and supporting Cisco Systems network solutions.

"When I first decided to build a WAN, I talked to the big service providers, but I didn't think they understood our need for high availability," says Morris. "That search led me to Jeff Roback at Praxis, and he listened to our needs and came back with a superior solution. I naturally turned to him to help when we moved the South Bay dealereship."

"Rich and I decided to take advantage of the new security and resiliency advancements in Cisco equipment," says Jeff Roback, vice president of engineering for Praxis. "With a solid WAN in place, it was relatively easy to build on that foundation."

NETWORK SOLUTION

To help ensure that the new South Bay BMW network met Morris' requirements for high availability and security, Roback upgraded the corporate router to a Cisco 3845 Integrated Services Router and installed Cisco 3825 integrated services routers at South Bay BMW. The Cisco 3800 Series integrated services routers support advanced security features, including intrusion prevention, stateful Cisco IOS® Firewall support, antivirus defense support through Cisco Network Admission Control (NAC), and support for as many as 2500 VPN tunnels with the AIM-HPII-PLUS Module. South Bay BMW's routers also include optional Power over Ethernet (PoE), also known as inline power, allowing the routers to easily support peripheral devices, such as security cameras, and reduce the cost of supplying them with Ethernet cable and power.

"The Cisco 3800 Series integrated services routers integrate intelligent protection switching (IPS) in the router, allowing us to perform firewall functionality as network traffic flows through the router," says Roback, "This helps to significantly improve our ability to secure the network."

Redundant point-to-point T1 links connect headquarters to South Bay BMW's Cisco 3825 Integrated Services Router. At the dealership, Morris also deployed two Cisco Catalyst® 3750 48-port switches with PoE for the LAN core. The Cisco Catalyst 3750 Series switches feature Cisco StackWise™ technology, providing scalability and high resiliency in a compact footprint. With Cisco StackWise technology, South Bay BMW can connect up to nine Cisco Catalyst 3750 Series switches and manage them as a single, 32-Gbps switching unit. With PoE, the Cisco Catalyst 3750 switches can also power a number of wireless access points deployed throughout the large facility.

By connecting redundant switches to the Cisco 3825 Integrated Services Router, either switch could fail without compromising the network. Threat defense features are also built into Cisco Catalyst switches, helpping Morris to more effectively guard against viruses and worms.

Seven Cisco Catalyst 2950 48-port switches are deployed in wiring closets, providing wire-speed Fast Ethernet and Gigabit Ethernet connectivity with a range of software features and configurations that allow Morris to select the functionality combination needed for South Bay BMW's network edge.

To further increase the network's security and resiliency levels, Roback recommended replacing the original Internet routers with Cisco 2811 integrated services routers. The Cisco 2811 routers offer advanced security services-such as hardware encryption acceleration, IP Security (IPSec) VPN, firewall protection, inline intrusion prevention (IPS), Cisco Network Admission Control (NAC), and URL filtering support. In the event that the main router fails or both T1 links are broken, the entire network can failover to the Internet and use the Cisco 2811 integrated services routers' VPN capabilities as a backup.

Ten Cisco Aironet® 1300 Series access points are deployed throughout the dealership, many of them located high overhead, making it difficult to run power or Ethernet cabling to connect them. Morris uses PoE on the Cisco Catalyst switches to power the access points, connecting half of the access points to one switch and the remainder to the second switch. If either switch fails, at least half of the access points will still be available and the CiscoWorks Wireless LAN Solution Engine (WLSE) will dynamically readjust the signal strength on the remaining access points to maintain the network's functionality.

Roback also installed Cisco Security Agent on every employee desktop, further increasing the dealership's defenses against viruses, worms, spyware, and unauthorized software installations. Cisco Security Agent monitors each computer for abnormal behavior. Unlike antivirus software that depends on regular virus signature updates, Cisco Security Agent is not signature-based and protects the network regardless of the location's last antivirus update. By residing on desktop PCs and identifying invaders before they are able to reach the network, Cisco Security Agent can help to significantly limit potential damage.

BUSINESS VALUE

While fiber cuts and malicious software will always be potential threats, the South Bay BMW network is no longer as vulnerable. Morris says that the single most important benefit of the new Cisco network is its resiliency. Using Cisco integrated services routers, the new network can reroute around itself to avoid Internet failures-not only at South Bay BMW, but at other dealership locations through the corporate headquarters.

"We're able to back up each dealers' Internet feed with another dealer's feed," says Morris. "Now, each Internet router monitors the Internet connection for outages, and if it detects one, it will dynamically reroute all of the Internet traffic from the BMW dealership over to the Ford dealership, for example. We've had issues with fiber cuts, but our built-in redundancy has enabled us to overcome them." Managers from other locations can now visit the South Bay BMW location and log onto their network, increasing their productivity when they are away from their offices. With a highly available network, the dealership's primary dealer management system application is now always available to employees in sales, parts, service, used cars, accounting, and payroll.

"The flexibility to interconnect in different ways and provide for failover has been great," Morris says. "The Internet is always available and it's fast. Our goal was to make the network transparent to our employees', and we've achieved that."

The PoE feature not only gave South Bay BMW flexibility in its wireless deployment, it also helped to significantly reduce the cost of running electrical wires and cabling in the building's 100-foot ceilings and to the service bays. In addition to providing auto technicians with secure, direct access to BMW's corporate network for troubleshooting and information, it gave South Bay BMW the ability to provide Wi-Fi access and entertainment for customers while they waited for their cars, as well as provide employees with easy access to training materials.

Morris estimates that the cost of supplying power to the wireless system would have quadrupled without the PoE capabilities. They also allow each part of the wireless network to be secured individually. For example, the technician's wireless access to BMW's diagnostic network can be secured from the customers' Wi-Fi access network. Employees have wireless access to the core dealer management system application. Each access point can determine whether the user is a BMW employee-and if so, require that the transaction be encrypted before the network routes the traffic towards the dealer management system. If the user is a customer wanting to browse the Internet, the network allows them to browse only. The network can also distinguish and separate video camera traffic for security from satellite TV feeds.

Cisco Security Agent has saved Morris time and money. If a virus enters a PC, Cisco Security Agent prevents it from taking malicious action. When Roback and Morris first piloted the software, they installed it on half of the desktops. Two weeks later a virus outbreak occurred, and while the machines without Cisco Security Agent were affected, none of the equipped machines experienced any problems. The software guarded against spyware attacks as well.

"I don't spend any more of my Friday nights patching machines," says Morris. "If a virus outbreak does happen, we have time to address the problem." Morris can successfully test patch compatibility with the dealership's main application and he spends less than half of what he did previously on support costs. "Cisco Security Agent has almost eliminated problems with spyware, unauthorized software installations, and virus attacks."

"We also are subject to Gramm-Leach-Bliley Act compliance," he continues. "With Cisco Security Agent and other security features built into our network, I can demonstrate that we have deployed effective security controls to protect information confidentiality."

NEXT STEPS

Roback and Morris are testing VPN failover capabilities before instituting it on the network. By transitioning to VPN failover as a backup strategy, Morris hopes to eliminate a TI connection and its monthly cost at each location without reducing network reliability.

"By investing in the network and building a secure, reliable infrastructure, I can focus on managing our critical productivity applications," says Morris. "I wanted to achieve network availability and security and we have absolutely done that-and more."

FOR MORE INFORMATION

To learn more about Cisco routing solutions, visit: http://www.cisco.com/go/routing.

To learn more about Cisco switching solutions, visit: http://www.cisco.com/go/switching.

To learn more about Cisco security solutions, visit: http://www.cisco.com/go/security.

To learn more about Cisco wireless solutions, visit: http://www.cisco.com/go/wireless.

To learn more about South Bay BMW, visit: http://www.southbaybmw.com/.

To learn more about Praxis Computing, visit: http://www.praxis.com/.

This customer story is based on information provided by South Bay BMW and describes how that particular organization benefits from the deployment of Cisco products. Many factors may have contributed to the results and benefits described; Cisco does not guarantee comparable results elsewhere.

CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties, therefore this disclaimer may not apply to you.