I would like to ask for professionals' opinion. My task is to design a network for university building:
- 20 classrooms (21 PCs + WIFI)
- 15 staff offices (3 PCs + WIFI)
- 2 lecture theatres (1 PCs + WIFI)
- 10 networked printers
There will be 450 concurrent users. There are supposed to be several VLANS for management and security purposes.
I am a begginer in this field so your help would be much appreciated!!
I would like to know if server, router and firewall are at the rigtht place. I guess the most confusing point for me is around the distribution switch. I was wondering if it, maybe, wouldnt be better to have the "Main server" connected to the dist. switch on a separate VLAN with static IP on the server and move the router on a stick above the firewall so the firewall can filter all of the VLAN traffic as well. But then I don't really know how would the connection work, do I just have two trunks on coming from the dist. switch to the firewall and the second from the firewall to the router on a stick? But then the firewall wouldnt even have a physical address on the network, right?
I don't feel that confident with packet tracer for such complex design yet so I would just like to play around with it on paper for a while. The other thing that is unclear to me is how will the DHCP work in this scenario to be able to asssign IPs to the hosts on the various VLANs from the pools on the DHCP server. Is it enough to just have "ip helper" configured on the router on a stick to which my distribution switch is configured?
I have accidentaly forgot to put a VPN server in the design. Should I put it on the firewall server or can I be together with the other servers? It will be accessed by students from their home.
Thank you for the fast response, I hope what I am asking makes at least a bit of sense to a pro.
Before you can determine the most suitable approach to connect these devices, there are a number of things to consider;
Do you know the actual device types or models being proposed?
Is the distribution switch Layer2 only or Layer3 capable?
What are the access restrictions for this environment? Should all Vlans be able to communicate with each other?
What is the reason for the printer vlan connecting into the router and not the switch?
Do you have additional hardware available for this design?
1. Do you know the actual device types or models being proposed?
Is the distribution switch Layer2 only or Layer3 capable?
2. What are the access restrictions for this environment? Should all Vlans be able to communicate with each other?
3. What is the reason for the printer vlan connecting into the router and not the switch?
4. Do you have additional hardware available for this design?
1. L2 for now, but if your suggestion would be to swap it for L3 and get rid of the router on a stick, then I will accept it. As I said, I don't have the actual experience, so I don't really see the difference except cost.
2. All VLANs defnitely wont comunicate with each other. The printers will be only accessed through web app access to the print server. The lecturer computers on the VLAN 3 also, wont comunicate with the other VLANs. Only if I would move the server to the distribution switch then they would have to be able to access that. The students have to be able to access their user space on the FTP, so I guess none of the VLANs will communicate with each other.
Does having the router on a stick automaticaly mean that all the VLANs can communicate with each other? Or can that be restricted on the router?
3. I only found 48 port switches and the next closes port range was in hundereds. If I would have found a switch with ~60 ports then I'd plug each printer to the switch. Or maybe put a 16 port switch next to the dist. switch, connect the printer to it and then to the distribution so I only use up one port?
4. I will have redundant HW sitting in a closet. I am assuming that the chances of the potential failura are really low. Say, one device per year. So even if the distribution switch breaks the network admin can just walk over there, replug the cables to the spare switch and load up the same config in like 15 minutes I guess? So I'll still meet the 99% availability no problem. I also didn't like the idea of having ~50 more cables coming in from the access switches to the redundant distribution switch.
You have many choices and could terminate your Layer3 vlans on the switch, router or firewall. However, based on your requirements I suggest terminating the vlans on the firewall. This gives you better control of which applications are permitted to communicate between vlans.
- If the firewall is controlling vlan access and there is no WAN connectivity required, then a router is not needed.Yes, you could control inter vlan communications on the router using access control lists, however these can quickly become messy and cumbersome to manage.
- Your distribution switch can be virtualised for redudancy and you can increase port density by stacking multiple switches together (like the Cisco 3750-X series switches)
- Create a new vlan for the Main Server.
- Connect all devices (except VPN) into the distribution switch.
- Trunk all the vlans from the distribution switch to the firewall.
- Ensure the firewall can relay DHCP messages.
- Use the firewall rule set to control which traffic can pass between vlans.
- Your VPN server would ideally connect to a DMZ subnet/switch directly off the firewall and not off the distribution switch.
Thanks a lot! I fixed it all and this is the last version. Can you please look at it? Not sure I got it all right...
- Do I understand it correctly that there is not need for router at all? That all networks are connected using firewall?
- Also, is it really much secure to have separate VPN in DMZ or can I have it as a part of main server?
- If I will have virtualized switch (I hope you meant VSS) than it means that I will have two times more wires (from distribution switch to access switches), right?
Yes the logical layout is looking better. I just noticed that you have drawn access switches in the staff office, classrooms and lecture rooms, if this is the case then you would not need to run multiple cables between the access switches and the distribution switches. You could run a pair of fiber or 1000-base-Tx cabling (depending on what you have available) between the access switches and the distribution switch and then trunk across the relevant vlans. All workstations would then cable directly into the local access switch. What brand and model of firewall do you intending on using? This may determine if a router is required. You don't have to virtualise the distribution switch, I misunderstood why you were connecting the printers directly into the distribution switch. But if you want to provide redundancy and scale, then you can virtualise the distribution switch by either using a Cisco VSS (6500) or Cisco Stackwise technology (3750-X) platform. If the number of printers are going to grow in the future then I would suggest using a separate access switch to cable the printers rather than terminating the connections on the distribution switch. The VPN server is normally placed on a secure DMZ vlan which is made accessible using a public IP address, and has a specific set of firewall rules to allow connections between the VPN clients and internal subnets. With that said it is difficult to provide a definitive solution without having a better understanding of the University network and where the Internet connections are terminating. What switches and routers are used in the backbone?