Experience of Safe and Operable Hospital External Network Construction - External Network Construction of Tongji Hospital

    27-10-2022

In 1900, Tongji Hospital was founded by Paulun, a German doctor, in Shanghai. In 1955, the hospital was moved to Wuhan. Today, it is affiliated with Tongji Medical College of Huazhong University of Science and Technology as a modern general hospital integrating medical treatment, teaching, scientific research, and training.

Currently, the hospital has 2,000 patient beds, 19 clinical departments, 13 medical and technical departments, and 19 secondary specialties. The annual outpatient volume of the hospital reaches more than 1.8 million and the annual hospitalization volume reaches 50,000. The cardiovascular disease discipline of internal medicine, respiratory disease discipline of internal medicine, surgery (general surgery), and obstetrics and gynecology are key disciplines in China. The Institute of Organ Transplantation and the Laboratory of Respiratory Medicine are key laboratories of the Ministry of Health. The rehabilitation medicine discipline is designated as a training and research center by WHO. Also, the hospital is a member of the Asian Emergency Assistance.

The Full Cost Accounting (FCA) management of the hospital has achieved remarkable benefits and has been promoted in China with the recognition of the central authority leaders and the Ministry of Health. The hospital was identified by the Publicity Department and the Ministry of Health as one of the top ten civilized service demonstration hospitals in China.

Tongji Hospital's network consists of the internal and external networks which are physically isolated. The internal network carries the hospital's Hospital Information System (HIS), Picture Archiving and Communication System (PACS), Laboratory Information Management System (LIS), FCA, and many other application systems. The external network provides external public services such as the Internet, CERNET[991] website browsing, online office system, Video On Demand (VOD), foreign collection material inquiry, hospital portal, and patient appointment registration. The external network covers many areas such as the hospital office, family areas, staff apartments, and postgraduate apartments, with nearly 2,000 broadband Internet users.

Its original external network adopted a 100 megabit backbone and large hubs and other devices. With the increase of broadband Internet users and the development of the Tongji VOD and other services, the problems of insufficient network bandwidth and poor network security have become more and more obvious. Slow Internet access, the proliferation of network viruses, and network interruptions occur from time to time, seriously affecting the online office system and digital library service. Meanwhile, since the hospital could not manage broadband Internet users, the BT download service of a few Internet users have occupied large network resources. This has resulted in slow speeds for other Internet users. Although the hospital has kept increasing the Internet access bandwidth and invested a lot of money, the user experience of Internet access has not been significantly improved.

The transformation of the existing network has been an urgent need for the information construction of the hospital as security, reliability, and manageability have become the basic principles of network construction.

After technical communication and solution comparison, Tongji Hospital finally chose H3C products for building the external network. This is mostly because H3C, as a larger network device manufacturer in China, can not only provide the full range of network products with high quality, but also customize solutions according to the actual needs of clients. H3C provides an operational and manageable external network solution for Tongji Hospital. The solution addresses needs such as network security and user authentication management. At the same time, it can implement differentiated management for the needs of different users in the hospital. For example, users in the office area can access the hospital service system such as collection material inquiry, Internet, and CERNET for free, while users in the family area and staff apartment can only access the Internet and Tongji VOD. The solution can provide multiple billing methods to create benefits for the hospital.

H3C has established 28 spare parts and after-sales service centers in China. The after-sales service center in Hubei Province is established in Wuhan. During the implementation of the external network transformation of Tongji Hospital, H3C and the project integrator cooperated with each other and provided great after-sales service for the hospital. This fully reflects the advantages of Chinese vendors in terms of service.

Key devices

For the external network construction, the H3C SR88 core router, S9505 10 GbE core switch, S7505 high-end switch, and S3000 series access switch products were deployed, as well as the MA5200 broadband access server, IMC, and EAD.

Network construction solution and features

The topology of the external network of Tongji Hospital is simple. It can be divided into the core layer and the access layer. The core layer of the office area adopts a carrier-grade and highly reliable H3C S9505 10 Gigabit switch with key modules including redundant engines and redundant power supplies. The family and apartment areas share one high-performance H3C S7506 switch. The S7506 and S9505 switches are interconnected by a Gigabit fiber bundle link. The cost-effective H3C S3000 series products were selected for all floor switches.

The packet forwarding capacity of S9505 and S7505 switches reach 180 Mpps and 48 Mpps, respectively. Both switches are leading in the industry in terms of processing performance and can meet the line rate forwarding of 10 Gigabit and Gigabit ports. The two-layer network structure of Tongji Hospital's external network makes full use of the high performance of the core switch as all data traffic forwarding is completed through the core switch. This structure minimizes network deployment and management costs.

The external network is interconnected with the Internet and the CERNET network, which may have a serious impact on the operation of the external network due to the emergence of various new viruses. Therefore, the S9505 and S7506 core switches deployed in network construction use a new "packet-based forwarding" mechanism. Compared with the "flow-cache" mechanism of traditional switches, this mechanism has high processing performance and is resistant to worms, which ensures high reliability of the hospital network.

An H3C core router SR88 is configured at the Internet egress. As a representative of the fifth generation of routers, the SR88 router introduces advanced network processor technology to achieve a perfect combination of processing performance, service scales, and scalability. The SR88 router serves as a NAT gateway device for all Internet users in the hospital, realizing the smart scheduling of the Internet egress and CERNET egress.

Security authentication management for users is the core concern for the external network construction of the hospital. To strengthen the specific management of different users, an H3C IAG 5000 has been configured in the core layer of the network.

H3C IAG 5000 adopts a box-type hardware architecture with centralized processing. It supports the access, authentication, authorization, and billing functions, and provides a complete Quality of Service (QoS) mechanism and rich service processing capabilities. IAG 5000 supports 2K users' concurrent access. It also supports a variety of flexible access authentication methods, including Web authentication, PPPoE authentication, 802.1x authentication, and port binding. This guarantees flexible selection of varied authentication methods for different users.

For broadband Internet users in the apartment and family areas, H3C IAG 5000 also supports various billing schemes including billing by month, bandwidth, time, and traffic. Flexible billing methods can meet the needs of different Internet users.

To facilitate end user management, the external network of Tongji Hospital adopts the Portal authentication method. After users open the IE browser, they will be forced to navigate to the user authentication interface no matter what URL they enter. Only by entering the legal user name and password can users access the network resources. To facilitate the management, different authentication interfaces are used for users in the office area and family area (including apartment users). The network access rights of users in different areas vary.

With the Portal authentication, end users using any operating system do not need to install client-side software, achieving plug-and-play. Meanwhile, it is possible to establish an office automation platform on the Portal page, or place notices and advertisements. For example, users can be asked to install operating system patches. This greatly reduces the workload of the hospital in network maintenance and management.

The hospital selected the 802.1x authentication method to meet the special requirements of flexible expense management and strict authentication for graduate student apartments. Meanwhile, H3C performed personalized development for the hospital to make the pop-up interface style of multiple authentications consistent. In this way, users can view the same content on the pop-up page.

The management of all users in Tongji Hospital is completed by IMC, such as user account opening, user name and password management, and user rights management. Meanwhile, IMC provides the self-service feature. Broadband Internet users can change their passwords or check their Internet access records on the authentication interface. Centralized management of user data makes data maintenance and backup simple and easy.

Realization of business benefits

The H3C IMC and IAG 5000 user authentication devices work together in the construction of Tongji Hospital's external network. For the hospital, this offers a user-friendly and feature-rich networking model. User authentication, user management, and broadband operation are well integrated and unified. This not only reduces the maintenance cost of the hospital, but also brings positive benefits to the operation of the hospital.

新华三官网