Network Infrastruture Upgrade

Answered Question
Jan 21st, 2010
User Badges:



/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Dear Senior Fellows

Good Morning

I am system side person but I have an experience in networks too, now I have an opportunity to handle a large network from scratch. This is educational institute and previous network person just leave the job and I join ,I surveyed the hole setup and found lots of issues ,I will discuss my finding and suggested solution please help me in this regard ,It is great honor for me

Current Setup Findings

Main Site Nodes

Department-1=40

Department-2=100

Department-3=70

Department-4=120

Department-5=50

Department-6=60

Department-7=200

Department-8=50

Department-9=60

Department-10=50

Total=800


Remote Site-1 Nodes

Department-1=30

Department-2=70

Total=100


Remote Site-2 Nodes

Department-1=40

Department-2=30

Total=70


Remote Site-3 Nodes

Department-1=50

Department-2=30

Total=80

Grand Total=1050 Nodes

Now it’s a picture of my Computer /nodes ,All three sites are connect with 2 MB link ,All major departments had Cisco 2900 Switch for connectivity ,Further some departments had their own like allied telyson and D-Link for further segregation, In Server Room we Had Cisco layer three 3700 Catalyst and 3500 catalyst switches ,But they are just working as layer 2 devices ,all connections from Departments are just dropped in these switches ,We have PIX-525 firewall which is not in use because it does not have DMZ interface(my staff told) ,No central IP –scheme is defined e.g. some departs on 192.168.x.x some on 172.16.x.x and some on 10.x.x.x network and they get there service from Linux Squid server ,Which is multi home computer one interface is public ip and other has all these IP ranges given to interconnect all these schemes … ,So lots of traffic ,broadcast ,collisions happening ,IP conflicts ,Even people are allowed public IP because public and private network drop on same switch ,Some time public IP gave IP conflicts because someone try to gave public ip on his computer to get fast access from internet ,This is like pathetic condition ,NO vlan ,we had services like EMIAL,DNS,WEB,PORTAL .. They are all given public IP, Remote sites are also getting internet from Main site via 2 MB link, I think it is good bandwidth for these users but lots of complains of network connectivity and slow internet.

Solution

Above mention condition is very sad ,But I have to fix all this butt I need proper advise from you people, My plans are like

1-Proper New IP scheme

2-Define VLAN’s On departmental Level

3-Intervlan routing between VLAN through layer three switches

4 Redesign LAN topology

5-ServerRoom Re Infrastructure of switches /router/pix


First of all I want to design new IP scheme, like

Main site          = 192.168.100.X

Department-1= 192.168.110.X

Department-2= 192.168.120.X

Department-3= 192.168.130.X

Department-4= 192.168.140.X

Department-5= 192.168.150.X

Department-6= 192.168.160.X

Department-7= 192.168.170.X

Department-8= 192.168.180.X

Department-9= 192.168.190.X

Department-10= 192.168.191.X


Site-1               = 12.168.200.X

Department-1= 192.168.201.X

Department-2= 192.168.202.X

Site-2               = 192.168.210.X

Department-1= 192.168.211.X

Department-2= 192.168.212.X


Site-3               = 192.168.220.X

Department-1= 192.168.221.X

Department-2= 192.168.222.X


Please convey may best possible solution Step wise or complete


Thanks

Jey

Correct Answer by burleyman about 7 years 4 months ago

Jey,


We have taken this type of aproach and it seem to work good and is easy to isolate issue. While there are many ways to do this and some better than others this is what works for us.


Infrastructure IP Addressing

  • The first octet, 10., is just the class A private IP address block we choose for our network.
  • The second octet, 10.X., is to designate which site or office the IP address range is assigned to.
    1. Site 1– 10.1.0.0
    2. Site 2 – 10.2.0.0
    3. Site 3 – 10.3.0.0
    4. Site 4 – 10.4.0.0
    5. And so on

  • The third octet, 10.X.X., is to designate the VLAN the IP address is a part of.
    1. VLAN 2 is Network equipment (routers, riverbeds, switches, etc.)
    2. VLAN 3 is Servers
    3. VLAN 5 is Printers
    4. Desktop and Laptop VLANS are assigned based on floor. We add 100 to the floor number and we get the VLAN ID based on that, for example, the third octet for New York’s 18th floor would be 118, so a user would be 10.15.118.X or you can do this based on department.
    5. VoIP VLANS are assigned based on floor like the Desktops and Laptops except we add 200 to the floor number. (so that means no floors over 255…J) again this can be done by department

  • The fourth octet, 10.X.X.X, is assigned manually or by DHCP depending on the type of equipment.

Here are some examples:

    1. 10.1.3.55 – this is a server in Site 1 in VLAN3 and it is either named Site55 based on the last octet. Note: servers are the only ones where the last octet means anything, and we name the server so it matches the last octet.
    2. 10.2.118.54 –This is a workstation in Site 2 on the 18th floor in VLAN118.
    3. 10.2.218.64 – This is a VoIP Phone in Site 2 on the 18th floor in VLAN218.
    4. 10.4.5.20 – This is a printer in Site 4 in VLAN5.
    5. 10.3.2.1 – This is a piece of network gear in Site 3 and is in VLAN2

    Hope this helps. Please rate helpful posts.

    Mike

    • 1
    • 2
    • 3
    • 4
    • 5
    Overall Rating: 5 (1 ratings)
    Loading.
    Ganesh Hariharan Thu, 01/21/2010 - 04:17
    User Badges:
    • Purple, 4500 points or more
    • Community Spotlight Award,

      Member's Choice, February 2016


    Dear Senior Fellows

    Good Morning

    I am system side person but I have an experience in networks too, now I have an opportunity to handle a large network from scratch. This is educational institute and previous network person just leave the job and I join ,I surveyed the hole setup and found lots of issues ,I will discuss my finding and suggested solution please help me in this regard ,It is great honor for me

    Current Setup Findings

    Main Site Nodes

    Department-1=40

    Department-2=100

    Department-3=70

    Department-4=120

    Department-5=50

    Department-6=60

    Department-7=200

    Department-8=50

    Department-9=60

    Department-10=50

    Total=800


    Remote Site-1 Nodes

    Department-1=30

    Department-2=70

    Total=100


    Remote Site-2 Nodes

    Department-1=40

    Department-2=30

    Total=70


    Remote Site-3 Nodes

    Department-1=50

    Department-2=30

    Total=80

    Grand Total=1050 Nodes

    Now it’s a picture of my Computer /nodes ,All three sites are connect with 2 MB link ,All major departments had Cisco 2900 Switch for connectivity ,Further some departments had their own like allied telyson and D-Link for further segregation, In Server Room we Had Cisco layer three 3700 Catalyst and 3500 catalyst switches ,But they are just working as layer 2 devices ,all connections from Departments are just dropped in these switches ,We have PIX-525 firewall which is not in use because it does not have DMZ interface(my staff told) ,No central IP –scheme is defined e.g. some departs on 192.168.x.x some on 172.16.x.x and some on 10.x.x.x network and they get there service from Linux Squid server ,Which is multi home computer one interface is public ip and other has all these IP ranges given to interconnect all these schemes … ,So lots of traffic ,broadcast ,collisions happening ,IP conflicts ,Even people are allowed public IP because public and private network drop on same switch ,Some time public IP gave IP conflicts because someone try to gave public ip on his computer to get fast access from internet ,This is like pathetic condition ,NO vlan ,we had services like EMIAL,DNS,WEB,PORTAL .. They are all given public IP, Remote sites are also getting internet from Main site via 2 MB link, I think it is good bandwidth for these users but lots of complains of network connectivity and slow internet.

    Solution

    Above mention condition is very sad ,But I have to fix all this **** I need proper advise from you people, My plans are like

    1-Proper New IP scheme

    2-Define VLAN’s On departmental Level

    3-Intervlan routing between VLAN through layer three switches

    4 Redesign LAN topology

    5-ServerRoom Re Infrastructure of switches /router/pix


    First of all I want to design new IP scheme, like

    Main site          = 192.168.100.X

    Department-1= 192.168.110.X

    Department-2= 192.168.120.X

    Department-3= 192.168.130.X

    Department-4= 192.168.140.X

    Department-5= 192.168.150.X

    Department-6= 192.168.160.X

    Department-7= 192.168.170.X

    Department-8= 192.168.180.X

    Department-9= 192.168.190.X

    Department-10= 192.168.191.X


    Site-1               = 12.168.200.X

    Department-1= 192.168.201.X

    Department-2= 192.168.202.X

    Site-2               = 192.168.210.X

    Department-1= 192.168.211.X

    Department-2= 192.168.212.X


    Site-3               = 192.168.220.X

    Department-1= 192.168.221.X

    Department-2= 192.168.222.X


    Please convey may best possible solution Step wise or complete


    Thanks

    Jey


    Hi Jey,


    The appraoch is good devide  the ip scehme for each and every department and create separate vlans in switches to segregate the vlan traffic to same domain.If you have L3 switch then no issue for inter vlan routing or you can achive via router port using trunk on router port and sub interface on the port for intervlan routing and i would suggest you also configure pix firewall so that all the traffic which will go outside the network or traffic coming inside the network will via firewall.


    Regards

    Ganesh.H

    Correct Answer
    burleyman Thu, 01/21/2010 - 06:27
    User Badges:
    • Blue, 1500 points or more

    Jey,


    We have taken this type of aproach and it seem to work good and is easy to isolate issue. While there are many ways to do this and some better than others this is what works for us.


    Infrastructure IP Addressing

    • The first octet, 10., is just the class A private IP address block we choose for our network.
    • The second octet, 10.X., is to designate which site or office the IP address range is assigned to.
      1. Site 1– 10.1.0.0
      2. Site 2 – 10.2.0.0
      3. Site 3 – 10.3.0.0
      4. Site 4 – 10.4.0.0
      5. And so on

    • The third octet, 10.X.X., is to designate the VLAN the IP address is a part of.
      1. VLAN 2 is Network equipment (routers, riverbeds, switches, etc.)
      2. VLAN 3 is Servers
      3. VLAN 5 is Printers
      4. Desktop and Laptop VLANS are assigned based on floor. We add 100 to the floor number and we get the VLAN ID based on that, for example, the third octet for New York’s 18th floor would be 118, so a user would be 10.15.118.X or you can do this based on department.
      5. VoIP VLANS are assigned based on floor like the Desktops and Laptops except we add 200 to the floor number. (so that means no floors over 255…J) again this can be done by department

    • The fourth octet, 10.X.X.X, is assigned manually or by DHCP depending on the type of equipment.

    Here are some examples:

      1. 10.1.3.55 – this is a server in Site 1 in VLAN3 and it is either named Site55 based on the last octet. Note: servers are the only ones where the last octet means anything, and we name the server so it matches the last octet.
      2. 10.2.118.54 –This is a workstation in Site 2 on the 18th floor in VLAN118.
      3. 10.2.218.64 – This is a VoIP Phone in Site 2 on the 18th floor in VLAN218.
      4. 10.4.5.20 – This is a printer in Site 4 in VLAN5.
      5. 10.3.2.1 – This is a piece of network gear in Site 3 and is in VLAN2

      Hope this helps. Please rate helpful posts.

      Mike

      SystemAdminNet Thu, 01/21/2010 - 22:50
      User Badges:

      /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

      Thanks to all for replying specially Mr. Burleyman

      So I change my plan according to your suggestion, and this is what I get


      Main-HQ         10.110.x.x

      Site-1               10.120.x.x

      Site-2               10.130.x.x

      Site-3               10.140.x.x


      In Main- HQ

      10.110.1.x       VLAN 1          Network equipment (routers, switches, etc.)

      10.110.5.x       VLAN 5          Servers(DNS,ADC,Proxy,DHCP………)

      10.110.10.x     VLAN10         Department-1

      10.110.20.x     VLAN20         Department-2

      10.110.30.x     VLAN30         Department-3

      10.110.40.x     VLAN40         Department-4

      10.110.50.x     VLAN50         Department-5

      10.110.60.x     VLAN60         Department-6

      10.110.70.x     VLAN70         Department-7

      10.110.80.x     VLAN80         Department-8

      10.110.90.x     VLAN90         Department-9

      10.110.100.x   VLAN100       Department-10

      In SITE-1

      10.120.1.x       VLAN 1          Network equipment (routers, switches, etc.)

      10.120.5.x       VLAN 5          Servers(DNS,ADC,Proxy,DHCP………)

      10.120.10.x     VLAN10         Department-1

      10.120.20.x     VLAN20         Department-2

           Now problem is that should I set a VLAN on switch based or building/department wise ,I am little confused here ,some departments have like 5 switches ,some have 1 ,some have 10 , and major issue for me that some departments are taking cables from other departments ,so how VLAN design will work please guide me in VLAN designing too ,I studied VLAN and configure in LAB environment ,But not in a huge network ,Please help

      emmanuel.shoroma Fri, 01/22/2010 - 00:03
      User Badges:

      Hi,


      If you are having L2 devices at your access, Configure your VLANs in the distribution switch by department. you will then have a trunk from the distribution to the access switches. I will advice you use hierarchal approach to connect your switches. if possible use redundant links using spanning tree. You can also configure some security controls by allowing specific VLANs in the trunks. Use VTP to propagate your VLAN information to the rest of the switches. this will help for example where you might end up having departments sharing a switch. so you won't even have to worry which department uses which switch. depending on the size of the branches, you can use a similar approach for your branches. if you are using L3 devices, the approach might be different as you might need to route locally.


      Regards,

      burleyman Fri, 01/22/2010 - 04:45
      User Badges:
      • Blue, 1500 points or more

      I am not extremely well versed in design but your setup depends on many things. What are your security requirements? Do you restrict one department from accessing certain things., like servers, Internet, etc. Emmanuel is correct in his statement.


      Mike

      SystemAdminNet Sun, 01/24/2010 - 03:40
      User Badges:

      I am still confuced here ,about deparrtment level VLANS ,I have attached the the Current Network Struture Diagram ,here some deparemtns are behind 5 intermediate switches ,so i have to configure trunks on all intermediate switched and allow different VLANS different depaertments Mannually ,I am thinking to do it manually rather than DTP ,and not to use VTP also ,Butt please see my diagram and guide accordingly


      Reagrds

      Jey

      Ganesh Hariharan Sun, 01/24/2010 - 05:37
      User Badges:
      • Purple, 4500 points or more
      • Community Spotlight Award,

        Member's Choice, February 2016

      I am still confuced here ,about deparrtment level VLANS ,I have attached the the Current Network Struture Diagram ,here some deparemtns are behind 5 intermediate switches ,so i have to configure trunks on all intermediate switched and allow different VLANS different depaertments Mannually ,I am thinking to do it manually rather than DTP ,and not to use VTP also ,**** please see my diagram and guide accordingly


      Reagrds

      Jey



      Hi Jey,


      Yes you need to configure trunk between the switches in order the vlan to communicate with upper layer and as per you diagram i would also recommend you as this is having mid range switching environment so you should also secure your ports in lower layer which are directly connected to end users in order to avoid switch loops in your network.


      Use Port fast with BPDU gaurd and root gaurd features in switches to avoid of intrusion switches in your network and also prune the unwanted vlans to flow over the trunk using vlan pruning to avoid unnessary traffic to float over the network.


      Hope to help


      Regards

      Ganesh.H

      Robert Juric Sat, 01/23/2010 - 07:10
      User Badges:

      I have read that it is best practice to keep VLANs restricted to a single access-layer switch, but I think that might be too dificult in real life. I would assign your VLANs per department and where you have require multiple VLANs on the same switch setup trunking. I have always been hesitent to deploy VTP, and in your case where some deparments are inter-connected it would probablly be best to avoid it and maintain good documentation.

      Actions

      This Discussion