Solved: Network Infrastruture Upgrade

SystemAdminNet · ‎01-21-2010

Dear Senior Fellows

Good Morning

I am system side person but I have an experience in networks too, now I have an opportunity to handle a large network from scratch. This is educational institute and previous network person just leave the job and I join ,I surveyed the hole setup and found lots of issues ,I will discuss my finding and suggested solution please help me in this regard ,It is great honor for me

Current Setup Findings

Main Site Nodes

Department-1=40

Department-2=100

Department-3=70

Department-4=120

Department-5=50

Department-6=60

Department-7=200

Department-8=50

Department-9=60

Department-10=50

Total=800

Remote Site-1 Nodes

Department-1=30

Department-2=70

Total=100

Remote Site-2 Nodes

Department-1=40

Department-2=30

Total=70

Remote Site-3 Nodes

Department-1=50

Department-2=30

Total=80

Grand Total=1050 Nodes

Now it’s a picture of my Computer /nodes ,All three sites are connect with 2 MB link ,All major departments had Cisco 2900 Switch for connectivity ,Further some departments had their own like allied telyson and D-Link for further segregation, In Server Room we Had Cisco layer three 3700 Catalyst and 3500 catalyst switches ,But they are just working as layer 2 devices ,all connections from Departments are just dropped in these switches ,We have PIX-525 firewall which is not in use because it does not have DMZ interface(my staff told) ,No central IP –scheme is defined e.g. some departs on 192.168.x.x some on 172.16.x.x and some on 10.x.x.x network and they get there service from Linux Squid server ,Which is multi home computer one interface is public ip and other has all these IP ranges given to interconnect all these schemes … ,So lots of traffic ,broadcast ,collisions happening ,IP conflicts ,Even people are allowed public IP because public and private network drop on same switch ,Some time public IP gave IP conflicts because someone try to gave public ip on his computer to get fast access from internet ,This is like pathetic condition ,NO vlan ,we had services like EMIAL,DNS,WEB,PORTAL .. They are all given public IP, Remote sites are also getting internet from Main site via 2 MB link, I think it is good bandwidth for these users but lots of complains of network connectivity and slow internet.

Solution

Above mention condition is very sad ,But I have to fix all this butt I need proper advise from you people, My plans are like

1-Proper New IP scheme

2-Define VLAN’s On departmental Level

3-Intervlan routing between VLAN through layer three switches

4 Redesign LAN topology

5-ServerRoom Re Infrastructure of switches /router/pix

First of all I want to design new IP scheme, like

Main site = 192.168.100.X

Department-1= 192.168.110.X

Department-2= 192.168.120.X

Department-3= 192.168.130.X

Department-4= 192.168.140.X

Department-5= 192.168.150.X

Department-6= 192.168.160.X

Department-7= 192.168.170.X

Department-8= 192.168.180.X

Department-9= 192.168.190.X

Department-10= 192.168.191.X

Site-1 = 12.168.200.X

Department-1= 192.168.201.X

Department-2= 192.168.202.X

Site-2 = 192.168.210.X

Department-1= 192.168.211.X

Department-2= 192.168.212.X

Site-3 = 192.168.220.X

Department-1= 192.168.221.X

Department-2= 192.168.222.X

Please convey may best possible solution Step wise or complete

Thanks

Jey

burleyman · ‎01-21-2010

Jey,

We have taken this type of aproach and it seem to work good and is easy to isolate issue. While there are many ways to do this and some better than others this is what works for us.

Infrastructure IP Addressing

The first octet, 10., is just the class A private IP address block we choose for our network.
The second octet, 10.X., is to designate which site or office the IP address range is assigned to.
1. Site 1– 10.1.0.0
2. Site 2 – 10.2.0.0
3. Site 3 – 10.3.0.0
4. Site 4 – 10.4.0.0
5. And so on

The third octet, 10.X.X., is to designate the VLAN the IP address is a part of.
1. VLAN 2 is Network equipment (routers, riverbeds, switches, etc.)
2. VLAN 3 is Servers
3. VLAN 5 is Printers
4. Desktop and Laptop VLANS are assigned based on floor. We add 100 to the floor number and we get the VLAN ID based on that, for example, the third octet for New York’s 18^th floor would be 118, so a user would be 10.15.118.X or you can do this based on department.
5. VoIP VLANS are assigned based on floor like the Desktops and Laptops except we add 200 to the floor number. (so that means no floors over 255…J) again this can be done by department

The fourth octet, 10.X.X.X, is assigned manually or by DHCP depending on the type of equipment.

Here are some examples:

10.1.3.55 – this is a server in Site 1 in VLAN3 and it is either named Site55 based on the last octet. Note: servers are the only ones where the last octet means anything, and we name the server so it matches the last octet.
10.2.118.54 –This is a workstation in Site 2 on the 18^th floor in VLAN118.
10.2.218.64 – This is a VoIP Phone in Site 2 on the 18^th floor in VLAN218.
10.4.5.20 – This is a printer in Site 4 in VLAN5.
10.3.2.1 – This is a piece of network gear in Site 3 and is in VLAN2

Hope this helps. Please rate helpful posts.

Mike

View solution in original post

Ganesh Hariharan · ‎01-21-2010


Dear Senior Fellows
Good Morning
I
am system side person but I have an experience in networks too, now I
have an opportunity to handle a large network from scratch. This is
educational institute and previous network person just leave the job
and I join ,I surveyed the hole setup and found lots of issues ,I will
discuss my finding and suggested solution please help me in this regard
,It is great honor for me
Current Setup Findings
Main Site Nodes
Department-1=40
Department-2=100
Department-3=70
Department-4=120
Department-5=50
Department-6=60
Department-7=200
Department-8=50
Department-9=60
Department-10=50
Total=800
Remote Site-1 Nodes
Department-1=30
Department-2=70
Total=100
Remote Site-2 Nodes
Department-1=40
Department-2=30
Total=70
Remote Site-3 Nodes
Department-1=50
Department-2=30
Total=80
Grand Total=1050 Nodes 
Now
it’s a picture of my Computer /nodes ,All three sites are connect with
2 MB link ,All major departments had Cisco 2900 Switch for connectivity
,Further some departments had their own like allied telyson and D-Link
for further segregation, In Server Room we Had Cisco layer three 3700
Catalyst and 3500 catalyst switches ,But they are just working as layer
2 devices ,all connections from Departments are just dropped in these
switches ,We have PIX-525 firewall which is not  in use
because it does not have DMZ interface(my staff told) ,No central IP
–scheme is defined e.g. some departs on 192.168.x.x some on 172.16.x.x
and some on 10.x.x.x network and they get there service from Linux
Squid server ,Which is multi home computer one interface is public ip
and other has all these IP ranges given to interconnect all these
schemes … ,So lots of traffic ,broadcast ,collisions happening ,IP
conflicts ,Even people are allowed public IP because public and private
network drop on same switch ,Some time public IP gave IP conflicts
because someone try to gave public ip on his computer to get fast
access from internet ,This is like pathetic condition ,NO vlan ,we had
services like EMIAL,DNS,WEB,PORTAL .. They are all given public IP,
Remote sites are also getting internet from Main site via 2 MB link, I
think it is good bandwidth for these users but lots of complains of
network connectivity and slow internet.
Solution
Above mention condition is very sad ,But I have to fix all this **** I need proper advise from you people, My plans are like
1-Proper New IP scheme
2-Define VLAN’s On departmental Level
3-Intervlan routing between VLAN through layer three switches
4 Redesign LAN topology
5-ServerRoom Re Infrastructure of switches /router/pix
First of all I want to design new IP scheme, like
Main site          = 192.168.100.X
Department-1= 192.168.110.X
Department-2= 192.168.120.X
Department-3= 192.168.130.X
Department-4= 192.168.140.X
Department-5= 192.168.150.X
Department-6= 192.168.160.X
Department-7= 192.168.170.X
Department-8= 192.168.180.X
Department-9= 192.168.190.X
Department-10= 192.168.191.X
Site-1                = 12.168.200.X
Department-1= 192.168.201.X
Department-2= 192.168.202.X
  
Site-2                = 192.168.210.X
Department-1= 192.168.211.X
Department-2= 192.168.212.X
Site-3                = 192.168.220.X
Department-1= 192.168.221.X
Department-2= 192.168.222.X
Please convey may best possible solution Step wise or complete
Thanks
Jey

Hi Jey,

The appraoch is good devide the ip scehme for each and every department and create separate vlans in switches to segregate the vlan traffic to same domain.If you have L3 switch then no issue for inter vlan routing or you can achive via router port using trunk on router port and sub interface on the port for intervlan routing and i would suggest you also configure pix firewall so that all the traffic which will go outside the network or traffic coming inside the network will via firewall.

Regards

Ganesh.H

burleyman · ‎01-21-2010

Jey,

We have taken this type of aproach and it seem to work good and is easy to isolate issue. While there are many ways to do this and some better than others this is what works for us.

Infrastructure IP Addressing

The first octet, 10., is just the class A private IP address block we choose for our network.
The second octet, 10.X., is to designate which site or office the IP address range is assigned to.
1. Site 1– 10.1.0.0
2. Site 2 – 10.2.0.0
3. Site 3 – 10.3.0.0
4. Site 4 – 10.4.0.0
5. And so on

The third octet, 10.X.X., is to designate the VLAN the IP address is a part of.
1. VLAN 2 is Network equipment (routers, riverbeds, switches, etc.)
2. VLAN 3 is Servers
3. VLAN 5 is Printers
4. Desktop and Laptop VLANS are assigned based on floor. We add 100 to the floor number and we get the VLAN ID based on that, for example, the third octet for New York’s 18^th floor would be 118, so a user would be 10.15.118.X or you can do this based on department.
5. VoIP VLANS are assigned based on floor like the Desktops and Laptops except we add 200 to the floor number. (so that means no floors over 255…J) again this can be done by department

The fourth octet, 10.X.X.X, is assigned manually or by DHCP depending on the type of equipment.

Here are some examples:

10.1.3.55 – this is a server in Site 1 in VLAN3 and it is either named Site55 based on the last octet. Note: servers are the only ones where the last octet means anything, and we name the server so it matches the last octet.
10.2.118.54 –This is a workstation in Site 2 on the 18^th floor in VLAN118.
10.2.218.64 – This is a VoIP Phone in Site 2 on the 18^th floor in VLAN218.
10.4.5.20 – This is a printer in Site 4 in VLAN5.
10.3.2.1 – This is a piece of network gear in Site 3 and is in VLAN2

Hope this helps. Please rate helpful posts.

Mike

SystemAdminNet · ‎01-21-2010

Thanks to all for replying specially Mr. Burleyman

So I change my plan according to your suggestion, and this is what I get

Main-HQ 10.110.x.x

Site-1 10.120.x.x

Site-2 10.130.x.x

Site-3 10.140.x.x

In Main- HQ

10.110.1.x VLAN 1 Network equipment (routers, switches, etc.)

10.110.5.x VLAN 5 Servers(DNS,ADC,Proxy,DHCP………)

10.110.10.x VLAN10 Department-1

10.110.20.x VLAN20 Department-2

10.110.30.x VLAN30 Department-3

10.110.40.x VLAN40 Department-4

10.110.50.x VLAN50 Department-5

10.110.60.x VLAN60 Department-6

10.110.70.x VLAN70 Department-7

10.110.80.x VLAN80 Department-8

10.110.90.x VLAN90 Department-9

10.110.100.x VLAN100 Department-10

In SITE-1

10.120.1.x VLAN 1 Network equipment (routers, switches, etc.)

10.120.5.x VLAN 5 Servers(DNS,ADC,Proxy,DHCP………)

10.120.10.x VLAN10 Department-1

10.120.20.x VLAN20 Department-2

Now problem is that should I set a VLAN on switch based or building/department wise ,I am little confused here ,some departments have like 5 switches ,some have 1 ,some have 10 , and major issue for me that some departments are taking cables from other departments ,so how VLAN design will work please guide me in VLAN designing too ,I studied VLAN and configure in LAB environment ,But not in a huge network ,Please help

emmanuel.shoroma · ‎01-22-2010

Hi,

If you are having L2 devices at your access, Configure your VLANs in the distribution switch by department. you will then have a trunk from the distribution to the access switches. I will advice you use hierarchal approach to connect your switches. if possible use redundant links using spanning tree. You can also configure some security controls by allowing specific VLANs in the trunks. Use VTP to propagate your VLAN information to the rest of the switches. this will help for example where you might end up having departments sharing a switch. so you won't even have to worry which department uses which switch. depending on the size of the branches, you can use a similar approach for your branches. if you are using L3 devices, the approach might be different as you might need to route locally.

Regards,

burleyman · ‎01-22-2010

I am not extremely well versed in design but your setup depends on many things. What are your security requirements? Do you restrict one department from accessing certain things., like servers, Internet, etc. Emmanuel is correct in his statement.

Mike

burleyman · ‎01-22-2010

Jey,

Take a look at these design documents as they may help.

http://www.cisco.com/en/US/docs/internetworking/design/guide/nd2012.html

Thanks for the rating...

Hope this helps. Please rate helpful post.

Mike

SystemAdminNet · ‎01-24-2010

I am still confuced here ,about deparrtment level VLANS ,I have attached the the Current Network Struture Diagram ,here some deparemtns are behind 5 intermediate switches ,so i have to configure trunks on all intermediate switched and allow different VLANS different depaertments Mannually ,I am thinking to do it manually rather than DTP ,and not to use VTP also ,Butt please see my diagram and guide accordingly

Reagrds

Jey

Ganesh Hariharan · ‎01-24-2010

I am still confuced here ,about deparrtment level VLANS ,I have attached the the Current Network Struture Diagram ,here some deparemtns are behind 5 intermediate switches ,so i have to configure trunks on all intermediate switched and allow different VLANS different depaertments Mannually ,I am thinking to do it manually rather than DTP ,and not to use VTP also ,**** please see my diagram and guide accordingly

Reagrds

Jey

Hi Jey,

Yes you need to configure trunk between the switches in order the vlan to communicate with upper layer and as per you diagram i would also recommend you as this is having mid range switching environment so you should also secure your ports in lower layer which are directly connected to end users in order to avoid switch loops in your network.

Use Port fast with BPDU gaurd and root gaurd features in switches to avoid of intrusion switches in your network and also prune the unwanted vlans to flow over the trunk using vlan pruning to avoid unnessary traffic to float over the network.

Hope to help

Regards

Ganesh.H

Robert Juric · ‎01-23-2010

I have read that it is best practice to keep VLANs restricted to a single access-layer switch, but I think that might be too dificult in real life. I would assign your VLANs per department and where you have require multiple VLANs on the same switch setup trunking. I have always been hesitent to deploy VTP, and in your case where some deparments are inter-connected it would probablly be best to avoid it and maintain good documentation.