Lab 6.2.1 Determining an IP Addressing Scheme
Step 1: Consider VLAN issues
The initial step in determining the required VLANs is to group users and services into VLANs. Each of these VLANs will represent an IP subnet.
A VLAN can be considered to be a group of switch ports assigned to a broadcast domain. Grouping the
switch ports confines broadcast traffic to specified hosts so that bandwidth is not unnecessarily consumed in unrelated VLANs. It is therefore a recommended best practice to assign only one IP network or subnetwork to each VLAN.
When determining how to group users and services, consider the following issues:
Flexibility
The employees and hardware of the former AnyCompany will move into the building with the FilmCompany in the near future. The network from this newly acquired company needs to be tightly integrated with the FilmCompany network and a structure put in place to enhance the security of the network.
To support this integration, with improvements in security and performance, additional VLANs need to be
created on the network. These VLANs will also allow the personnel to move to the buildings without additional network changes or interruption in network services.
Security
Security can be better enforced between VLANs than within VLANs.
- Access control lists can be applied to the Distribution Layer router subinterfaces that interconnect the VLANs to enforce this security.
- The interfaces on the switches can be assigned to VLANs as appropriate to support the network for the connected device.
WANs and VPNs
The contract with StadiumCompany adds a number of new requirements. Some FilmCompany personnel will be located at the stadium. Additional personnel and contract workers will also be present at the stadium during live events. These employees will use laptops and the wireless LAN at the FilmCompany branch as well as the wireless LAN at the stadium. To provide network connectivity for these laptops, they will be in their own VLAN. At the stadium, the FilmCompany laptop users will connect to a secure wireless VLAN and use a VPN over the Frame Relay connection between stadium and the FilmCompany branch. With this connection, the laptop users can be attached to the internal FilmCompany network regardless of physical location. To support the video feeds, FilmCompany will need resources available at the stadium. Some of the servers providing these resources will be located at the stadium. Other servers will be located at the branch office of the FilmCompany. For security and performance reasons, these servers, regardless of location, will be on secured VLANs. A separate VPN over the Frame Relay link will be created to connect the servers at the stadium to the servers located at the FilmCompany office.
What are the advantages and disadvantages of using a VPN to extend the wireless and video server
networks over the Frame Relay connection from FilmCompany to the stadium?
Advantages:
Memperluas VLAN melalui VPN di WAN memiliki keuntungan dari keamanan tindakan yang dilakukan terhadap VLAN yang juga sedang diterapkan pada semua host di manapun lokasinya.
Disadvantages:
Kerugiannya adalah bahwa semua siaran VLAN juga melintasi bandwidth sempit pada WAN link, yang mungkin mempengaruhi throughput data
Redundancy
The VLAN structure will support load balancing and redundancy, which are major needs of this new network design. With such a large portion of the FilmCompany operations and revenues dependent on the network operation, a network failure could be devastating. The new VLAN arrangement allows the FC-ASW1 and FCASW2 switches to share the load of the traffic and be backups for each other.
This redundancy is accomplished by sharing the RSTP primary and secondary root duties for the traffic for the different VLANs:
- FC-ASW1 will be the primary root for approximately one-half of the VLAN traffic (not necessarily one half of the VLANs) and FC-ASW2 will be the secondary root for these VLANs.
- The remaining VLANs will have FC-ASW2 as the primary root and FC-ASW1 as the secondary root.
Step 2: Group network users and services
Examine the planned network topology. Applying the issues considered in Step 1, list all the possible groupings of users and services that may require separate VLANs and subnets.
_________ default VLAN for the Layer 2 devices
_________ voice VLAN to support Voice over IP
_________ VLAN for management hosts and secure peripherals (payroll printer)
_________ VLAN for administrative hosts
_________ VLAN for support hosts
_________ VLAN for high performance production workstations (stationary)
_________ VLAN for mobile production hosts
_________ VLAN for stadium to FilmCompany mobile access VPN
_________ VLAN for network support
_________ VLAN for peripherals for general use (printers, scanners)
_________ VLAN for servers to support video services and storage
_________ VLAN for stadium to FilmCompany video services VPN
_________ VLAN for servers that are publicly accessible
_________ VLAN for terminating unwanted or suspicious traffic
_________ VLAN for undefined future services
_________ Block of addresses are required for NAT pool for BR4
_________ DSL link to the ISP
_________ Addresses for the Frame Relay link to the stadium
Step 3: Tabulating the groupings
The new addressing design needs to be scalable to allow easy inclusion of future services, such as voice.
The current addressing scheme does not allow for managed growth. Correcting this scheme will mean that most devices will be placed on new VLANs and new subnets. In some cases, a device address may not be able to be changed; for example, some of the servers have software registered to their IP addresses. In such cases, the server VLAN will keep its current addressing even though it may not be consistent with the remaining addressing scheme. Other addresses that cannot be changed are the addresses used with the WAN links and the addresses for NAT pool used to access the Internet.
This table shows a possible grouping and addressing scheme. The number of hosts required for the FilmCompany branch office, including growth, has been determined. Assigning one subnet to each VLAN, the host count for each has been rounded up to the next logical network size supported by the binary patterns used in the subnet mask. Rounding up prevents underestimating the total number of host addresses required.
VLAN number | Network name | Nomor alamat host | Predetermined Network Address | Deskripsi |
1 | default | 14 | Default VLAN for the Layer 2 devices | |
10 | voice | 254 | Voice VLAN to support Voice over IP | |
20 | management | 14 | Management hosts and secure peripherals (payroll printer) | |
30 | administrative | 62 | Administrative hosts | |
40 | support | 126 | Support hosts | |
50 | production | 126 | High performance production workstations (stationary) | |
60 | mobile | 62 | Mobile production hosts | |
70 | net_admin | 14 | Network support | |
80 | servers | 65534 | 172.17.0.0 /16 | Servers to support video services and storage |
90 | peripherals | 62 | Peripherals for general use (printers,scanners) | |
100 | web_access | 14 | VLAN for servers that are publicly accessible | |
120 | future | 126 | VLAN for future services | |
999 | null | 126 | VLAN for terminating unwanted or suspicious traffic | |
NA | NAT_pool | 6 | 209.165.200.224/29 | Addresses for NAT pool for BR4 or interface to ISP4 |
NA | DSL_Link | 2 | 192.0.2.40 /30 | DSL link to the ISP |
NA | Frame_Link | 2 | 172.18.0.16/30 | Address of the FR link to the stadium |
Step 4: Determine the total number of hosts to be addressed
To determine the block of addresses to be used, count the number of hosts. To calculate the addresses,
count only the hosts that will receive addresses from the new block. Use the information in the table in Step 3 to complete this chart to calculate the total number of hosts in the new FilmCompany network requiring addresses.
Reflection / Challenge
This lab provided a step-by-step process for determining an addressing scheme for a corporate network.
Discuss and consider the issues that would arise if this planning process was not methodically used.