Step 1: Consider VLAN issues
The initial step in determining the required VLANs is to group users and services into VLANs. Each of these VLANs will represent an IP subnet.
A VLAN can be considered to be a group of switch ports assigned to a broadcast domain. Grouping the
switch ports confines broadcast traffic to specified hosts so that bandwidth is not unnecessarily consumed in unrelated VLANs. It is therefore a recommended best practice to assign only one IP network or subnetwork to each VLAN.
When determining how to group users and services, consider the following issues:
Flexibility
The employees and hardware of the former AnyCompany will move into the building with the FilmCompany in the near future. The network from this newly acquired company needs to be tightly integrated with the FilmCompany network and a structure put in place to enhance the security of the network.
To support this integration, with improvements in security and performance, additional VLANs need to be
created on the network. These VLANs will also allow the personnel to move to the buildings without additional network changes or interruption in network services.
Security
Security can be better enforced between VLANs than within VLANs.
• Access control lists can be applied to the Distribution Layer router subinterfaces that interconnect the
VLANs to enforce this security.
• The interfaces on the switches can be assigned to VLANs as appropriate to support the network for
the connected device.
• Additional Layer 2 security measures can also be applied to these switch interfaces.
WANs and VPNs
The contract with StadiumCompany adds a number of new requirements. Some FilmCompany personnel will be located at the stadium. Additional personnel and contract workers will also be present at the stadium during live events. These employees will use laptops and the wireless LAN at the FilmCompany branch as well as the wireless LAN at the stadium. To provide network connectivity for these laptops, they will be in their own VLAN. At the stadium, the FilmCompany laptop users will connect to a secure wireless VLAN and use a VPN over the Frame Relay connection between stadium and the FilmCompany branch. With this connection, the laptop users can be attached to the internal FilmCompany network regardless of physical location. To support the video feeds, FilmCompany will need resources available at the stadium. Some of the servers providing these resources will be located at the stadium. Other servers will be located at the branch office of the FilmCompany. For security and performance reasons, these servers, regardless of location, will be on secured VLANs. A separate VPN over the Frame Relay link will be created to connect the servers at the stadium to the servers located at the FilmCompany office.
What are the advantages and disadvantages of using a VPN to extend the wireless and video server
networks over the Frame Relay connection from FilmCompany to the stadium?
Advantages:
Memperluas VLAN melalui VPN di WAN memiliki keuntungan dari keamanan tindakan yang dilakukan terhadap VLAN yang juga sedang diterapkan pada semua host di manapun lokasinya.
Disadvantages:
Kerugiannya adalah bahwa semua siaran VLAN juga melintasi bandwidth sempit pada WAN link, yang mungkin mempengaruhi throughput data
Redundancy
The VLAN structure will support load balancing and redundancy, which are major needs of this new network design. With such a large portion of the FilmCompany operations and revenues dependent on the network operation, a network failure could be devastating. The new VLAN arrangement allows the FC-ASW1 and FCASW2 switches to share the load of the traffic and be backups for each other.
This redundancy is accomplished by sharing the RSTP primary and secondary root duties for the traffic for the different VLANs:
• FC-ASW1 will be the primary root for approximately one-half of the VLAN traffic (not necessarily one half of the VLANs) and FC-ASW2 will be the secondary root for these VLANs.
• The remaining VLANs will have FC-ASW2 as the primary root and FC-ASW1 as the secondary root.
Step 2: Group network users and services
Examine the planned network topology. Applying the issues considered in Step 1, list all the possible
groupings of users and services that may require separate VLANs and subnets.
____________________ default VLAN for the Layer 2 devices
____________________ voice VLAN to support Voice over IP
____________________ VLAN for management hosts and secure peripherals (payroll printer)
____________________ VLAN for administrative hosts
____________________ VLAN for support hosts
____________________ VLAN for high performance production workstations (stationary)
____________________ VLAN for mobile production hosts
____________________ VLAN for stadium to FilmCompany mobile access VPN
____________________ VLAN for network support
____________________ VLAN for peripherals for general use (printers, scanners)
____________________ VLAN for servers to support video services and storage
____________________ VLAN for stadium to FilmCompany video services VPN
____________________ VLAN for servers that are publicly accessible
____________________ VLAN for terminating unwanted or suspicious traffic
____________________ VLAN for undefined future services
____________________ Block of addresses are required for NAT pool for BR4
____________________ DSL link to the ISP
____________________ Addresses for the Frame Relay link to the stadium
Step 3: Tabulating the groupings
The new addressing design needs to be scalable to allow easy inclusion of future services, such as voice.
The current addressing scheme does not allow for managed growth. Correcting this scheme will mean that most devices will be placed on new VLANs and new subnets. In some cases, a device address may not be able to be changed; for example, some of the servers have software registered to their IP addresses. In such cases, the server VLAN will keep its current addressing even though it may not be consistent with the remaining addressing scheme. Other addresses that cannot be changed are the addresses used with the WAN links and the addresses for NAT pool used to access the Internet.
This table shows a possible grouping and addressing scheme. The number of hosts required for the
FilmCompany branch office, including growth, has been determined. Assigning one subnet to each VLAN, the host count for each has been rounded up to the next logical network size supported by the binary patterns used in the subnet mask. Rounding up prevents underestimating the total number of host addresses required.
VLAN number Network name Nomor alamat host Predetermined
Network Address Deskripsi
1 default 14 Default VLAN for the Layer 2 devices
10 voice 254 Voice VLAN to support Voice over IP
20 management 14 Management hosts and secure peripherals (payroll printer)
30 administrative 62 Administrative hosts
40 support 126 Support hosts
50 production 126 High performance production workstations (stationary)
60 mobile 62 Mobile production hosts
70 net_admin 14 Network support
80 servers 65534 172.17.0.0 /16 Servers to support video services
and storage
90 peripherals 62 Peripherals for general use (printers,scanners)
100 web_access 14 VLAN for servers that are publicly
accessible
120 future 126 VLAN for future services
999 null 126 VLAN for terminating unwanted or
suspicious traffic
NA NAT_pool 6 209.165.200.224/29 Addresses for NAT pool for BR4 or
interface to ISP4
NA DSL_Link 2 192.0.2.40 /30 DSL link to the ISP
NA Frame_Link 2 172.18.0.16/30 Address of the FR link to the
stadium
Step 4: Determine the total number of hosts to be addressed
To determine the block of addresses to be used, count the number of hosts. To calculate the addresses,
count only the hosts that will receive addresses from the new block. Use the information in the table in Step 3 to complete this chart to calculate the total number of hosts in the new FilmCompany network requiring addresses.
Reflection / Challenge
This lab provided a step-by-step process for determining an addressing scheme for a corporate network.
Discuss and consider the issues that would arise if this planning process was not methodically used.
Tidak ada komentar:
Posting Komentar