Chapter 6 : Lab 6.2.1 Determining an IP Addressing Scheme

Step 1: Consider VLAN issues

The initial step in determining the required VLANs is to group users and services into VLANs. Each of these VLANs will represent an IP subnet.

A VLAN can be considered to be a group of switch ports assigned to a broadcast domain. Grouping the

switch ports confines broadcast traffic to specified hosts so that bandwidth is not unnecessarily consumed in unrelated VLANs. It is therefore a recommended best practice to assign only one IP network or subnetwork to each VLAN.

When determining how to group users and services, consider the following issues:

Flexibility

The employees and hardware of the former AnyCompany will move into the building with the FilmCompany in the near future. The network from this newly acquired company needs to be tightly integrated with the FilmCompany network and a structure put in place to enhance the security of the network.

To support this integration, with improvements in security and performance, additional VLANs need to be

created on the network. These VLANs will also allow the personnel to move to the buildings without additional network changes or interruption in network services.

Security

Security can be better enforced between VLANs than within VLANs.

  • • Access control lists can be applied to the Distribution Layer router subinterfaces that interconnect the

VLANs to enforce this security.

  • • The interfaces on the switches can be assigned to VLANs as appropriate to support the network for

the connected device.

  • • Additional Layer 2 security measures can also be applied to these switch interfaces.

WANs and VPNs

The contract with StadiumCompany adds a number of new requirements. Some FilmCompany personnel will be located at the stadium. Additional personnel and contract workers will also be present at the stadium during live events. These employees will use laptops and the wireless LAN at the FilmCompany branch as well as the wireless LAN at the stadium. To provide network connectivity for these laptops, they will be in their own VLAN. At the stadium, the FilmCompany laptop users will connect to a secure wireless VLAN and use a VPN over the Frame Relay connection between stadium and the FilmCompany branch. With this connection, the laptop users can be attached to the internal FilmCompany network regardless of physical location. To support the video feeds, FilmCompany will need resources available at the stadium. Some of the servers providing these resources will be located at the stadium. Other servers will be located at the branch office of the FilmCompany. For security and performance reasons, these servers, regardless of location, will be on secured VLANs. A separate VPN over the Frame Relay link will be created to connect the servers at the stadium to the servers located at the FilmCompany office.

What are the advantages and disadvantages of using a VPN to extend the wireless and video server

networks over the Frame Relay connection from FilmCompany to the stadium?

Advantages:

Memperluas VLAN melalui VPN di WAN memiliki keuntungan dari keamanan tindakan yang dilakukan terhadap VLAN yang juga sedang diterapkan pada semua host di manapun lokasinya.

Disadvantages:

Kerugiannya adalah bahwa semua siaran VLAN juga melintasi bandwidth sempit pada WAN link, yang mungkin mempengaruhi throughput data

Redundancy

The VLAN structure will support load balancing and redundancy, which are major needs of this new network design. With such a large portion of the FilmCompany operations and revenues dependent on the network operation, a network failure could be devastating. The new VLAN arrangement allows the FC-ASW1 and FCASW2 switches to share the load of the traffic and be backups for each other.

This redundancy is accomplished by sharing the RSTP primary and secondary root duties for the traffic for the different VLANs:

  • • FC-ASW1 will be the primary root for approximately one-half of the VLAN traffic (not necessarily one half of the VLANs) and FC-ASW2 will be the secondary root for these VLANs.
  • • The remaining VLANs will have FC-ASW2 as the primary root and FC-ASW1 as the secondary root.

Step 2: Group network users and services

Examine the planned network topology. Applying the issues considered in Step 1, list all the possible

groupings of users and services that may require separate VLANs and subnets.

default VLAN for the Layer 2 devices

voice VLAN to support Voice over IP

VLAN for management hosts and secure peripherals (payroll printer)

VLAN for administrative hosts

VLAN for support hosts

VLAN for high performance production workstations (stationary)

VLAN for mobile production hosts

VLAN for stadium to FilmCompany mobile access VPN

VLAN for network support

VLAN for peripherals for general use (printers, scanners)

VLAN for servers to support video services and storage

VLAN for stadium to FilmCompany video services VPN

VLAN for servers that are publicly accessible

VLAN for terminating unwanted or suspicious traffic

VLAN for undefined future services

Block of addresses are required for NAT pool for BR4

DSL link to the ISP

Addresses for the Frame Relay link to the stadium

Step 3: Tabulating the groupings

The new addressing design needs to be scalable to allow easy inclusion of future services, such as voice.

The current addressing scheme does not allow for managed growth. Correcting this scheme will mean that most devices will be placed on new VLANs and new subnets. In some cases, a device address may not be able to be changed; for example, some of the servers have software registered to their IP addresses. In such cases, the server VLAN will keep its current addressing even though it may not be consistent with the remaining addressing scheme. Other addresses that cannot be changed are the addresses used with the WAN links and the addresses for NAT pool used to access the Internet.

This table shows a possible grouping and addressing scheme. The number of hosts required for the

FilmCompany branch office, including growth, has been determined. Assigning one subnet to each VLAN, the host count for each has been rounded up to the next logical network size supported by the binary patterns used in the subnet mask. Rounding up prevents underestimating the total number of host addresses required

VLAN number Network name Nomor alamat host PredeterminedNetwork Address Deskripsi
1 default 14 Default VLAN for the Layer 2 devices
10 voice 254 Voice VLAN to support Voice over IP
20 management 14 Management hosts and secure peripherals (payroll printer)
30 administrative 62 Administrative hosts
40 support 126 Support hosts
50 production 126 High performance production workstations (stationary)
60 mobile 62 Mobile production hosts
70 net_admin 14 Network support
80 servers 65534 172.17.0.0 /16 Servers to support video servicesand storage
90 peripherals 62 Peripherals for general use (printers,scanners)
100 web_access 14 VLAN for servers that are publiclyaccessible
120 future 126 VLAN for future services
999 null 126 VLAN for terminating unwanted orsuspicious traffic
NA NAT_pool 6 209.165.200.224/29 Addresses for NAT pool for BR4 orinterface to ISP4
NA DSL_Link 2 192.0.2.40 /30 DSL link to the ISP
NA Frame_Link 2 172.18.0.16/30 Address of the FR link to thestadium

Step 4: Determine the total number of hosts to be addressed

To determine the block of addresses to be used, count the number of hosts. To calculate the addresses,

count only the hosts that will receive addresses from the new block. Use the information in the table in Step 3 to complete this chart to calculate the total number of hosts in the new FilmCompany network requiring addresses.

Reflection / Challenge

This lab provided a step-by-step process for determining an addressing scheme for a corporate network.

Discuss and consider the issues that would arise if this planning process was not methodically used.



Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s