01-21-2010 12:17 AM - edited 03-06-2019 09:23 AM
Dear Senior Fellows
Good Morning
I am system side person but I have an experience in networks too, now I have an opportunity to handle a large network from scratch. This is educational institute and previous network person just leave the job and I join ,I surveyed the hole setup and found lots of issues ,I will discuss my finding and suggested solution please help me in this regard ,It is great honor for me
Main Site Nodes
Department-1=40
Department-2=100
Department-3=70
Department-4=120
Department-5=50
Department-6=60
Department-7=200
Department-8=50
Department-9=60
Department-10=50
Total=800
Remote Site-1 Nodes
Department-1=30
Department-2=70
Total=100
Remote Site-2 Nodes
Department-1=40
Department-2=30
Total=70
Remote Site-3 Nodes
Department-1=50
Department-2=30
Total=80
Grand Total=1050 Nodes
Now it’s a picture of my Computer /nodes ,All three sites are connect with 2 MB link ,All major departments had Cisco 2900 Switch for connectivity ,Further some departments had their own like allied telyson and D-Link for further segregation, In Server Room we Had Cisco layer three 3700 Catalyst and 3500 catalyst switches ,But they are just working as layer 2 devices ,all connections from Departments are just dropped in these switches ,We have PIX-525 firewall which is not in use because it does not have DMZ interface(my staff told) ,No central IP –scheme is defined e.g. some departs on 192.168.x.x some on 172.16.x.x and some on 10.x.x.x network and they get there service from Linux Squid server ,Which is multi home computer one interface is public ip and other has all these IP ranges given to interconnect all these schemes … ,So lots of traffic ,broadcast ,collisions happening ,IP conflicts ,Even people are allowed public IP because public and private network drop on same switch ,Some time public IP gave IP conflicts because someone try to gave public ip on his computer to get fast access from internet ,This is like pathetic condition ,NO vlan ,we had services like EMIAL,DNS,WEB,PORTAL .. They are all given public IP, Remote sites are also getting internet from Main site via 2 MB link, I think it is good bandwidth for these users but lots of complains of network connectivity and slow internet.
Solution
Above mention condition is very sad ,But I have to fix all this butt I need proper advise from you people, My plans are like
1-Proper New IP scheme
2-Define VLAN’s On departmental Level
3-Intervlan routing between VLAN through layer three switches
4 Redesign LAN topology
5-ServerRoom Re Infrastructure of switches /router/pix
First of all I want to design new IP scheme, like
Main site = 192.168.100.X
Department-1= 192.168.110.X
Department-2= 192.168.120.X
Department-3= 192.168.130.X
Department-4= 192.168.140.X
Department-5= 192.168.150.X
Department-6= 192.168.160.X
Department-7= 192.168.170.X
Department-8= 192.168.180.X
Department-9= 192.168.190.X
Department-10= 192.168.191.X
Site-1 = 12.168.200.X
Department-1= 192.168.201.X
Department-2= 192.168.202.X
Site-2 = 192.168.210.X
Department-1= 192.168.211.X
Department-2= 192.168.212.X
Site-3 = 192.168.220.X
Department-1= 192.168.221.X
Department-2= 192.168.222.X
Please convey may best possible solution Step wise or complete
Thanks
Jey
Solved! Go to Solution.
01-21-2010 06:27 AM
Jey,
We have taken this type of aproach and it seem to work good and is easy to isolate issue. While there are many ways to do this and some better than others this is what works for us.
Infrastructure IP Addressing
Here are some examples:
Hope this helps. Please rate helpful posts.
Mike
01-21-2010 04:17 AM
Dear Senior Fellows
Good Morning
I am system side person but I have an experience in networks too, now I have an opportunity to handle a large network from scratch. This is educational institute and previous network person just leave the job and I join ,I surveyed the hole setup and found lots of issues ,I will discuss my finding and suggested solution please help me in this regard ,It is great honor for me
Current Setup Findings
Main Site Nodes
Department-1=40
Department-2=100
Department-3=70
Department-4=120
Department-5=50
Department-6=60
Department-7=200
Department-8=50
Department-9=60
Department-10=50
Total=800
Remote Site-1 Nodes
Department-1=30
Department-2=70
Total=100
Remote Site-2 Nodes
Department-1=40
Department-2=30
Total=70
Remote Site-3 Nodes
Department-1=50
Department-2=30
Total=80
Grand Total=1050 Nodes
Now it’s a picture of my Computer /nodes ,All three sites are connect with 2 MB link ,All major departments had Cisco 2900 Switch for connectivity ,Further some departments had their own like allied telyson and D-Link for further segregation, In Server Room we Had Cisco layer three 3700 Catalyst and 3500 catalyst switches ,But they are just working as layer 2 devices ,all connections from Departments are just dropped in these switches ,We have PIX-525 firewall which is not in use because it does not have DMZ interface(my staff told) ,No central IP –scheme is defined e.g. some departs on 192.168.x.x some on 172.16.x.x and some on 10.x.x.x network and they get there service from Linux Squid server ,Which is multi home computer one interface is public ip and other has all these IP ranges given to interconnect all these schemes … ,So lots of traffic ,broadcast ,collisions happening ,IP conflicts ,Even people are allowed public IP because public and private network drop on same switch ,Some time public IP gave IP conflicts because someone try to gave public ip on his computer to get fast access from internet ,This is like pathetic condition ,NO vlan ,we had services like EMIAL,DNS,WEB,PORTAL .. They are all given public IP, Remote sites are also getting internet from Main site via 2 MB link, I think it is good bandwidth for these users but lots of complains of network connectivity and slow internet.
Solution
Above mention condition is very sad ,But I have to fix all this **** I need proper advise from you people, My plans are like
1-Proper New IP scheme
2-Define VLAN’s On departmental Level
3-Intervlan routing between VLAN through layer three switches
4 Redesign LAN topology
5-ServerRoom Re Infrastructure of switches /router/pix
First of all I want to design new IP scheme, like
Main site = 192.168.100.X
Department-1= 192.168.110.X
Department-2= 192.168.120.X
Department-3= 192.168.130.X
Department-4= 192.168.140.X
Department-5= 192.168.150.X
Department-6= 192.168.160.X
Department-7= 192.168.170.X
Department-8= 192.168.180.X
Department-9= 192.168.190.X
Department-10= 192.168.191.X
Site-1 = 12.168.200.X
Department-1= 192.168.201.X
Department-2= 192.168.202.X
Site-2 = 192.168.210.X
Department-1= 192.168.211.X
Department-2= 192.168.212.X
Site-3 = 192.168.220.X
Department-1= 192.168.221.X
Department-2= 192.168.222.X
Please convey may best possible solution Step wise or complete
Thanks
Jey
Hi Jey,
The appraoch is good devide the ip scehme for each and every department and create separate vlans in switches to segregate the vlan traffic to same domain.If you have L3 switch then no issue for inter vlan routing or you can achive via router port using trunk on router port and sub interface on the port for intervlan routing and i would suggest you also configure pix firewall so that all the traffic which will go outside the network or traffic coming inside the network will via firewall.
Regards
Ganesh.H
01-21-2010 06:27 AM
Jey,
We have taken this type of aproach and it seem to work good and is easy to isolate issue. While there are many ways to do this and some better than others this is what works for us.
Infrastructure IP Addressing
Here are some examples:
Hope this helps. Please rate helpful posts.
Mike
01-21-2010 10:50 PM
Thanks to all for replying specially Mr. Burleyman
So I change my plan according to your suggestion, and this is what I get
Main-HQ 10.110.x.x
Site-1 10.120.x.x
Site-2 10.130.x.x
Site-3 10.140.x.x
In Main- HQ
10.110.1.x VLAN 1 Network equipment (routers, switches, etc.)
10.110.5.x VLAN 5 Servers(DNS,ADC,Proxy,DHCP………)
10.110.10.x VLAN10 Department-1
10.110.20.x VLAN20 Department-2
10.110.30.x VLAN30 Department-3
10.110.40.x VLAN40 Department-4
10.110.50.x VLAN50 Department-5
10.110.60.x VLAN60 Department-6
10.110.70.x VLAN70 Department-7
10.110.80.x VLAN80 Department-8
10.110.90.x VLAN90 Department-9
10.110.100.x VLAN100 Department-10
In SITE-1
10.120.1.x VLAN 1 Network equipment (routers, switches, etc.)
10.120.5.x VLAN 5 Servers(DNS,ADC,Proxy,DHCP………)
10.120.10.x VLAN10 Department-1
10.120.20.x VLAN20 Department-2
Now problem is that should I set a VLAN on switch based or building/department wise ,I am little confused here ,some departments have like 5 switches ,some have 1 ,some have 10 , and major issue for me that some departments are taking cables from other departments ,so how VLAN design will work please guide me in VLAN designing too ,I studied VLAN and configure in LAB environment ,But not in a huge network ,Please help
01-22-2010 12:03 AM
Hi,
If you are having L2 devices at your access, Configure your VLANs in the distribution switch by department. you will then have a trunk from the distribution to the access switches. I will advice you use hierarchal approach to connect your switches. if possible use redundant links using spanning tree. You can also configure some security controls by allowing specific VLANs in the trunks. Use VTP to propagate your VLAN information to the rest of the switches. this will help for example where you might end up having departments sharing a switch. so you won't even have to worry which department uses which switch. depending on the size of the branches, you can use a similar approach for your branches. if you are using L3 devices, the approach might be different as you might need to route locally.
Regards,
01-22-2010 04:45 AM
I am not extremely well versed in design but your setup depends on many things. What are your security requirements? Do you restrict one department from accessing certain things., like servers, Internet, etc. Emmanuel is correct in his statement.
Mike
01-22-2010 05:22 AM
Jey,
Take a look at these design documents as they may help.
http://www.cisco.com/en/US/docs/internetworking/design/guide/nd2012.html
Thanks for the rating...
Hope this helps. Please rate helpful post.
Mike
01-24-2010 03:40 AM
I am still confuced here ,about deparrtment level VLANS ,I have attached the the Current Network Struture Diagram ,here some deparemtns are behind 5 intermediate switches ,so i have to configure trunks on all intermediate switched and allow different VLANS different depaertments Mannually ,I am thinking to do it manually rather than DTP ,and not to use VTP also ,Butt please see my diagram and guide accordingly
Reagrds
Jey
01-24-2010 05:37 AM
I am still confuced here ,about deparrtment level VLANS ,I have attached the the Current Network Struture Diagram ,here some deparemtns are behind 5 intermediate switches ,so i have to configure trunks on all intermediate switched and allow different VLANS different depaertments Mannually ,I am thinking to do it manually rather than DTP ,and not to use VTP also ,**** please see my diagram and guide accordingly
Reagrds
Jey
Hi Jey,
Yes you need to configure trunk between the switches in order the vlan to communicate with upper layer and as per you diagram i would also recommend you as this is having mid range switching environment so you should also secure your ports in lower layer which are directly connected to end users in order to avoid switch loops in your network.
Use Port fast with BPDU gaurd and root gaurd features in switches to avoid of intrusion switches in your network and also prune the unwanted vlans to flow over the trunk using vlan pruning to avoid unnessary traffic to float over the network.
Hope to help
Regards
Ganesh.H
01-23-2010 07:10 AM
I have read that it is best practice to keep VLANs restricted to a single access-layer switch, but I think that might be too dificult in real life. I would assign your VLANs per department and where you have require multiple VLANs on the same switch setup trunking. I have always been hesitent to deploy VTP, and in your case where some deparments are inter-connected it would probablly be best to avoid it and maintain good documentation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide