Step 1: Consider VLAN issues
The initial step in determining the required VLANs is to group users and services into VLANs. Each of these VLANs will represent an IP subnet.
A VLAN can be considered to be a group of switch ports assigned to a broadcast domain. Grouping the
switch ports confines broadcast traffic to specified hosts so that bandwidth is not unnecessarily consumed in unrelated VLANs. It is therefore a recommended best practice to assign only one IP network or subnetwork to each VLAN.
When determining how to group users and services, consider the following issues:
The employees and hardware of the former AnyCompany will move into the building with the FilmCompany in the near future. The network from this newly acquired company needs to be tightly integrated with the FilmCompany network and a structure put in place to enhance the security of the network.
To support this integration, with improvements in security and performance, additional VLANs need to be
created on the network. These VLANs will also allow the personnel to move to the buildings without additional network changes or interruption in network services.
Security can be better enforced between VLANs than within VLANs.
- • Access control lists can be applied to the Distribution Layer router subinterfaces that interconnect the
VLANs to enforce this security.
- • The interfaces on the switches can be assigned to VLANs as appropriate to support the network for
the connected device.
- • Additional Layer 2 security measures can also be applied to these switch interfaces.
WANs and VPNs
The contract with StadiumCompany adds a number of new requirements. Some FilmCompany personnel will be located at the stadium. Additional personnel and contract workers will also be present at the stadium during live events. These employees will use laptops and the wireless LAN at the FilmCompany branch as well as the wireless LAN at the stadium. To provide network connectivity for these laptops, they will be in their own VLAN. At the stadium, the FilmCompany laptop users will connect to a secure wireless VLAN and use a VPN over the Frame Relay connection between stadium and the FilmCompany branch. With this connection, the laptop users can be attached to the internal FilmCompany network regardless of physical location. To support the video feeds, FilmCompany will need resources available at the stadium. Some of the servers providing these resources will be located at the stadium. Other servers will be located at the branch office of the FilmCompany. For security and performance reasons, these servers, regardless of location, will be on secured VLANs. A separate VPN over the Frame Relay link will be created to connect the servers at the stadium to the servers located at the FilmCompany office.
What are the advantages and disadvantages of using a VPN to extend the wireless and video server
networks over the Frame Relay connection from FilmCompany to the stadium?
Memperluas VLAN melalui VPN di WAN memiliki keuntungan dari keamanan tindakan yang dilakukan terhadap VLAN yang juga sedang diterapkan pada semua host di manapun lokasinya.
Kerugiannya adalah bahwa semua siaran VLAN juga melintasi bandwidth sempit padaWAN link, yang mungkin mempengaruhi throughput data
The VLAN structure will support load balancing and redundancy, which are major needs of this new network design. With such a large portion of the FilmCompany operations and revenues dependent on the network operation, a network failure could be devastating. The new VLAN arrangement allows the FC-ASW1 and FCASW2 switches to share the load of the traffic and be backups for each other.
This redundancy is accomplished by sharing the RSTP primary and secondary root duties for the traffic for the different VLANs:
- • FC-ASW1 will be the primary root for approximately one-half of the VLAN traffic (not necessarily one half of the VLANs) and FC-ASW2 will be the secondary root for these VLANs.
- • The remaining VLANs will have FC-ASW2 as the primary root and FC-ASW1 as the secondary root.
Step 2: Group network users and services
Examine the planned network topology. Applying the issues considered in Step 1, list all the possible
groupings of users and services that may require separate VLANs and subnets.
default VLAN for the Layer 2 devices
voice VLAN to support Voice over IP
VLAN for management hosts and secure peripherals (payroll printer)
VLAN for administrative hosts
VLAN for support hosts
VLAN for high performance production workstations (stationary)
VLAN for mobile production hosts
VLAN for stadium to FilmCompany mobile access VPN
VLAN for network support
VLAN for peripherals for general use (printers, scanners)
VLAN for servers to support video services and storage
VLAN for stadium to FilmCompany video services VPN
VLAN for servers that are publicly accessible
VLAN for terminating unwanted or suspicious traffic
VLAN for undefined future services
Block of addresses are required for NAT pool for BR4
DSL link to the ISP
Addresses for the Frame Relay link to the stadium
Step 3: Tabulating the groupings
The new addressing design needs to be scalable to allow easy inclusion of future services, such as voice.
The current addressing scheme does not allow for managed growth. Correcting this scheme will mean that most devices will be placed on new VLANs and new subnets. In some cases, a device address may not be able to be changed; for example, some of the servers have software registered to their IP addresses. In such cases, the server VLAN will keep its current addressing even though it may not be consistent with the remaining addressing scheme. Other addresses that cannot be changed are the addresses used with the WAN links and the addresses for NAT pool used to access the Internet.
This table shows a possible grouping and addressing scheme. The number of hosts required for the
FilmCompany branch office, including growth, has been determined. Assigning one subnet to each VLAN, the host count for each has been rounded up to the next logical network size supported by the binary patterns used in the subnet mask. Rounding up prevents underestimating the total number of host addresses required
|VLAN number||Network name||Nomor alamat host||PredeterminedNetwork Address||Deskripsi|
|1||default||14||Default VLAN for the Layer 2 devices|
|10||voice||254||Voice VLAN to support Voice over IP|
|20||management||14||Management hosts and secure peripherals (payroll printer)|
|50||production||126||High performance production workstations (stationary)|
|60||mobile||62||Mobile production hosts|
|80||servers||65534||172.17.0.0 /16||Servers to support video servicesand storage|
|90||peripherals||62||Peripherals for general use (printers,scanners)|
|100||web_access||14||VLAN for servers that are publiclyaccessible|
|120||future||126||VLAN for future services|
|999||null||126||VLAN for terminating unwanted orsuspicious traffic|
|NA||NAT_pool||6||188.8.131.52/29||Addresses for NAT pool for BR4 orinterface to ISP4|
|NA||DSL_Link||2||192.0.2.40 /30||DSL link to the ISP|
|NA||Frame_Link||2||172.18.0.16/30||Address of the FR link to thestadium|
Step 4: Determine the total number of hosts to be addressed
To determine the block of addresses to be used, count the number of hosts. To calculate the addresses,
count only the hosts that will receive addresses from the new block. Use the information in the table in Step 3 to complete this chart to calculate the total number of hosts in the new FilmCompany network requiring addresses.
Reflection / Challenge
This lab provided a step-by-step process for determining an addressing scheme for a corporate network.
Discuss and consider the issues that would arise if this planning process was not methodically used.