vlan_scheme

Page 1

KFUPM Campus Network VLAN Assignment Plan

1

KFUPM Campus Network VLAN Assignment Plan Introduction This report discusses the proposed VLAN implementations in the KFUPM Campus Network. This includes the network plan for Academic Buildings, Students Dorms, Faculty Housing and the buildings connected through pair gain for

enhancing the

security as well as manageability of the network. Using this scheme would allow us to implement L-3 ACLs for students and wireless LAN users and would greatly enhance our options for access control. For e.g, Wireless LAN users can be restricted to a small number of services if so desired. This VLAN assignment scheme is scalable to a large extent for future ne twork expansions.

Objectives: 1) To create separate VLANs for faculty/staff, Students and Wireless users. 2) To define layer-3 ACLs for students and wireless LAN users to restrict services. 3) To prevent broadcast of network traffic outside the VLAN and take advantage of Bandwidth. 4) To prevent access/view of faculty PCs from student PC’s network neighborhood.

Implementation plan:

VLAN Scheme for Academic Buildings: It is proposed to divide each academic building into three non-default Vlans 1) Vlan for Faculty & Staff 2) Vlans for Students 3) Vlan for Wireless access The naming convention for these VLANS will be as follows: VLANB + Bldg. # _ + FAC_STF (faculty/staff VLAN) VLANB + Bldg. # _ + STU (student VLAN) VLANB + Bldg. # _ +WLAN (wireless VLAN)

2

For example VLAN names for building 14 would be: VLANB14_FAC_STF VLANB14_STU VLANB14_WLAN A VLAN NUMBER scheme will also be followed for these VLANS in all the switches. The VLANs will be numbered as follows: • For faculty/staff VLAN the VLAN ID would be Bldg # • For Students VLAN and Wireless the VLAN ID would be Bldg # + X, Where X=2 for student VLAN. X=3 for Wireless VLAN. For example the VLAN numbers for building 14 would be: 14 142 143

for VLANB14_FAC_STF Faculty/staff VLAN for VLANB14_STU Student VLAN for VLANB14_WLAN Wireless VLAN

IP addressing: The IP address structure would be as follows: 10. X.0.0/20 Where X is the building number. This would allow us to create up to 16 VLANs, however, three VLANs would be currently used. i.e. 10. X.0.0 - 10.X.15.254 10. X.16.0 - 10.X.31.254 10. X.32.0 - 10.X.47.254 Where X is the building number. The IP addressing for Bldg 14 would be 10.14.0.0/20 and VLANs IP range would be as follows: 10.14.0.0 – 10.14.15.254 10.14.16.0 – 10.14.31.254 10.14.32.0 – 10.14.47.254 This addressing scheme would accommodate 4000 plus computers per VLAN. 3

DHCP Scope : The scope of the DHCP Server would be as follows: 10. X.0.0 - 10.X.15.254 10. X.16.0 - 10.X.31.254 10. X.32.0 - 10.X.47.254 Where X is the building number This scope would be further distributed between the two DHCP servers for redundancy. The scope in first DHCP server would be as follows: 10. X.0.0 - 10.X.7.254 10. X.16.0 - 10.X.23.254 10. X.32.0 - 10.X.39.254 The scope in Second DHCP server would be as follows: 10. X.8.0 - 10.X.15.254 10. X.24.0 - 10.X.31.254 10. X.40.0 - 10.X.47.254 Where X is the building number For Example: The scope in first DHCP server for Bldg 14 would be as follows: 10. 14.0.0 - 10.14.7.254 10. 14.16.0 - 10.14.23.254 10. 14.32.0 - 10.14.39.254 The scope in second DHCP server for Bldg 14 would be as follows: 10. 14.8.0 - 10.14.15.254 10. 14.24.0 - 10.14.31.254 10. 14.40.0 - 10.14.47.254

4

Switch IP address: The Switch IP address convention would be as follows:The IP address of switches would start from 10.254. X.Y Where X is Bldg # and Y = 200 for switch 1 Y= 201 for switch 2……. and so on For Example: The Switch IP addresses for Bldg 14 would be as follows: 10.254.14.200 10.254.14.201 10.254.14.202…………

VLAN Scheme for Student Dorms: It is proposed to have one non-default VLAN for all student dorms buildings. 1) Students VLAN On each switch this VLAN will be created and a naming convention will be followed. The VLAN would be named as: VLAN + Bldg # For example the VLAN name for stude nt dorms building 801 would be: VLAN801 A VLAN number scheme will also be followed for these VLANS in all the switches. The VLAN s will be numbered as Bldg # For Example the VLAN ID for Student Dorms building 801 would be : 801

5

IP addressing: The IP address structure would be as follows: 10. 80.X.0/24 for Buildings 801 - 816 Where X € 1 to 16 for Buildings 801 - 816 10.90. X.0/24 Where X € 1 to 3 For Example:

for Buildings 901-903 for Buildings 901 - 903

The IP addressing for Bldg 801 would be 10.80.1.0/24 The IP addressing for Bldg 901 would be 10.90.1.0/24 This addressing scheme would accommodate 254 computers per VLAN.

DHCP Scope : The scope of the DHCP Server would be as follows: 10. 80.X.0 - 10.80.X.254 for Buildings 801 to 816 Where X € 1 to 16 for Buildings 801 - 816 10. 90.X.0 - 10.90.X.254 for Buildings 901-903 Where X € 1 to 3 for Buildings 901 - 903 This scope would be further divided in two DHCP servers for redundancy. The scope in first DHCP server would be as follows: 10. 80.X.0 - 10.80.X.126 Where X € 1 to 16 for Buildings 801 - 816

10. 90.X.0 - 10.90.X.126 Where X € 1 to 3

for Buildings 901 - 903

The scope in Second DHCP server would be as follows: 10. 80.X.128 - 10.80.X.254 Where X € 1 to 16 for Buildings 801 - 816

10. 90.X.128 - 10.90.X.254 Where X € 1 to 3

for Buildings 901 - 903

6

For Example: The scope in first DHCP server for Bldg 801/901 would be as follows:10. 80.1.0 - 10.80.1.126 10. 90.1.0 - 10.90.1.126 The scope in Second DHCP server for Bldg 801/901 would be as follows:10. 80.1.128 10. 90.1.128

-

10.80.1.254 10.90.1.254

for Buildings 801 to 816 and for Buildings 901-903

Switch IP address: The Switch IP address convention would be as follows: The IP address of switches for Bldg 801 to 809 would start from 10.254. 81.200 For Example: For Bldg 801 the switch IP address would be: 10.254.81.200 10.254.81.201 and so on….. The IP address of switches for Bldg 810 to 816 would start from 10.254. 180.200 For Example: For Bldg 810 the switch IP address would be: 10.254.180.200 10.254.180.201 and so on….. The IP address of switches for Bldg 901 to 903 would start from 10.254. 91.200 For Example: For Bldg 901 the switch IP address would be : 10.254.91.200 10.254.91.201 and so on…..

VLAN Scheme for Buildings on Pair Gains: It is proposed to have one non-default VLAN for all buildings on pair gain. On each switch this VLAN will be created and a naming convention will be followed. The VLAN would be named as: VLAN + Bldg #

7

For example the VLAN name for building 26 (on pair gain) would be: VLAN26 A VLAN number scheme will also be followed for these VLANS in all the switches. The VLAN s will be numbered as Bldg # For Example the VLAN ID for building 26 would be: 26 IP addressing: The IP address structure would be as follows: 10. 60.X.0/24 For Example: The IP addressing for Bldg 26 would be 10.60.26.0/24 This addressing scheme would accommodate 254 computers per VLAN. DHCP Scope : The scope of the DHCP Server would be as follows: 10. 60.X.0 - 10.60.X.254 Where X is the building number This scope would be further divided in two DHCP servers for redundancy. The scope in first DHCP server would be as follows: 10. 60.X.0

- 10.60.X.126 and

The scope in Second DHCP server would be as follows: 10. 60.X.128 - 10.60.X.254 Where X is the building number For Example: The scope in first DHCP server for Bldg 26 would be as follows: 10. 60.26.0

- 10.60.26.126 8

The scope in Second DHCP server for Bldg 801/901 would be as follows: 10. 60.26.128

- 10.60.26.254

Switch IP address: The Switch IP address convention would be as follows: The IP address of switches for Building on pair gain would start from 10.254. X.200 Where X is the Building number. For Example: For Bldg 26 the switch IP address would be: 10.254.26.200 10.254.26.201 and so on…..

VLAN implementation for Server Farms The current IP Addressing scheme being followed for Server Farms has three VLANs and is as follows: 196.15.32.0/24 196.15.33.0/24 10.140.0.0/16 This IP Addressing scheme is not being changed in the proposed VLAN implementation plan.

VLAN implementation for RAS The current IP Addressing scheme being followed for RAS is as follows: 10.253.9.0 – 10.253.10.254

VLAN implementation for ADSL It is proposed to have 12 VLANs for Faculty Housing to be connected through ADSL. The IP Addressing scheme for theses Buildings would be as follows. 10.253. X.0/24 Where X € 100 to 112.

9

Practical VLAN Implementation Problems It this section we shall discuss some practical VLAN implementation problems and management overhead associated with them and how to overcome these.

VTP & HP Switches Until now, VLAN separation has been performed at the HP Switch level. This means that a particular port on Cat-3550 is assigned to a VLAN and now VLANs are not created on the L-2 (HP-Switch) level. It must be noted that to propagate VLAN information switches to the L-2 switches; Cisco is using VTP, which is a Cisco proprietary protocol. VTP is not implemented on the HP-Switches, so the HP-Switches will not automatically learn the VLANs and they have to be manually defined on each port if VLAN separation is performed at the L-2 switch level. This means if more than one non-default VLANs are used on the HP-Switch. Furthermore, trunking on uplinks to the L-3 switches in each Bldg has to be manually done.

Separation of LAB & Fac/Staff PCs at switch level Since in most of the buildings there is no clear separation of lab and faculty/staff switches (this means that from one HP-Switch some cables are going to the computer lab and some to faculty and staff computers) therefore the only way to implement VLANs is to define VLANs on the HP-Switches. The simplest way to do this is to get the MACAddresses of the lab PCs by visiting each PC, checking to which port that mac-address belongs by looking up the switch mac-address table, and assigning that port to the desired VLAN. It can be assumed that all active ports which do not belong to LABs belong to faculty/staff.

Reconfiguration of each HP Switch through Console Needless to say this requires visiting all the LAB PCs and then manually configuring all the switches through console. It would not be possible to configure the switches remotely, because currently the management addresses of the switches belong to the Bldg VLAN, however it is essential to move them to VLAN-1 after the implementation of more than one non-default VLAN on the switches. And as soon as another VLAN is defined and trunking enabled, the management station would loose a telnet session to the management IP address of the switch. 10

Procedure for Implementation • • • • • • • • •

All PC Lab’s will be visited to obtain the MAC- Addresses for the PC’s. MAC-Addresses will be looked up in the switch MAC-Address table to obtain the port number to which they belong on the switch and corresponding ports will be assigned to the respective VLAN. It can be assumed that all active ports which do not belong to Lab’s belong to faculty/staff. Each switch will be reconfigured manually through the console to assign management IP and to create VLAN’s. All ports on the switches will be labeled as to which VLAN the port belongs. All unused ports on the switch will be disabled (so that no new connectio n is given without the consent of Infrastructure group) An email will be sent to all users in a particular building prior to implementing this scheme in that building to inform them of the network outage. Network drawings will be modified after the scheme is completely implemented and the entire configuration will be documented. The tentative date for completion of project will be informed in first week of July.

Change Management Policy and Coordination This VLAN scheme would warrant a strong cooperation and coordination between the hardware and the infrastructure group. Procedure would have to be followed for even swapping one network connection to the other, even if they are on the same port. For each new network connection infrastructure group would be consulted so as to make sure that the port is allowed to the correct VLAN. Educating the ITC staff would be an important part in the success of this scheme.

Conclusion The above discussion has highlighted the proposed VLAN schemes and their implementations. Simplicity is the key for success and we have tried to make this scheme simple, yet effective.

11

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.