Information Systems:Wired Network (LAN) Infrastructure Redesign

From uniWIKI
Revision as of 13:19, 19 April 2017 by Norwinu (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Network re-design (switch swap) will occur March 3, 2017. Discussion for that project can be found here. This page represents initial discussion prior to actual planning of the project.

Overview

The redesign of the wired network (layout, configuration etc.) was supposed to happen with new switches, but it was decided that a significant investment was already made in our current hardware, and thus a redesign will be attempted with our current switches. This article details the major areas involved in this redesign.

Hardware

Currently, we have the following 3Com switches to work with:

  • 4 x 3870 SuperStack - Gigabit, managed, stackable. Access-layer switch.
  • 6 x 4200G - Gigabit, managed, stackable, decent web interface. Access-layer switch.
  • 1 x 4500 - 10/100, managed, most features amongst all the switch models. This is a Distribution or Core class of switch.

The 4500 is packed with features and its CLI resembles the one on the 4200G. Because we only have 1 of this model, it might be appropriate as a "play" switch.

Configuration changes

Switch features

VLANs

The entire uniPHARM network is currently a single, very large broadcast domain. Here are the proposed VLANs:

VLAN 1 - Management VLAN, no devices
VLAN 10 - Corporate LAN - desktops, printers/print servers, RF guns, outbound NAT through Telus, Terago
VLAN 20 - Backup traffic, separate L3 domain, no default gateway, no outbound internet access
VLAN 30 - Guest VLAN, outbound NAT through Telus, Terago, no access to corporate intranet
VLAN 40 - Storage traffic (SAN iSCSI), separate L3 domain, no default gateway, no outbound internet access
VLAN 50 - WAN traffic (Telus, Terago)
VLAN 60 - DHL/Loomis LAN

It is important to note that routing will be needed to route traffic between some of our VLANs. The Sophos should be able to handle inter-VLAN routing, so VLAN interfaces should be setup as part of the configuration. Since the UTM220 has limited ports, router-on-a-stick can be used to route between some of the VLANs. The WAN ports to the Telus and Terago router/modems should remain dedicated for ease of administration.

The management VLAN should ideally be changed from its default setting of VLAN 1, but our network is pretty small and the risk of compromised access to the switches (and potential threats to our network) is very low, so leaving this as is should be fine. This way, you won't need a VLAN-capable device to quickly access and troubleshoot the switches.

Stacking

Since we have 4 of the 3870s, stacking should be explored to see if it's feasible and ideal for our environment. It does make sense to administer multiple switches as one, especially since there is a high port density in the server room.

It will also be important to do cross-stack trunking i.e. for 2 bonded links, each link goes to a different switch. This provides the redundancy.

Spanning Tree

A spanning tree topology should be implemented to provide redundancy during a switch failure and to prevent broadcast storms from mis-plugging of ports. Rapid spanning tree will be employed; I don't really see anything better.

Root bridges will be the server room switches.

RMON and sFlow

Port analysis is useful for troubleshooting, and for general insight into what's going on in our network. sFlow should be enabled for traffic sampling, and one port in each switch should be set as an analyzer port (for Wireshark).

LACP/port aggregation

Switches should be connected to each other by multiple ports trunked together. Some servers links should also be aggregated for increased bandwidth. Note that port-bonding will not necessarily speed up BackupExec backups or lead to a noticeable speed increase for users. This is because disk bandwidth is far more limiting. What port trunking helps with is accommodating max bandwidth utilization by many users (e.g. the transferring large files from Superserver to multiple desktops).

QoS/traffic prioritization

QoS will be absolutely essential if and when we get IP phones. For now, it will be used to rate-limit certain kinds of traffic and reserve bandwidth for other types.

Layout changes

Switch reorganization

To faciliate stacking, the switches in the server room should be replaced with all 3870s. Perhaps 3 should be stacked with 1 spare.

Note: This all depends on if we still have those stacking cables...

IP address changes

With the incorporation of VLANs, IP addresses will need to be reconsidered. /21 likely won't be necessary. New DHCP pools will also need to be setup, and it should be decided whether this is served by the AD domain controllers, by the Sophos, or by the

Internal DNS/domain changes

To make the incorporation of VLANs even more elegant, we can consider subdomains (e.g. loomis.unipharm.local) for some of the segmented LANs.

Rethinking the DMZ

Should we keep the DMZ - 172.30.25.0/24?

Retrieved from "https://owl.unipharm.com/mediawiki/index.php?title=Information_Systems:Wired_Network_(LAN)_Infrastructure_Redesign&oldid=7359"