Answer the question
In order to leave comments, you need to log in
How to organize a network (theory)?
Help me figure out how to build a network from scratch. The questions are rather theoretical, but I want to understand how you would do it. Who is bored and who wants to digress from the current news, I will be grateful for a little educational program.
PS Now I'm reading a series of articles "Networks for the smallest", still in the process.
For example, there is an understanding of what will happen in the end:
- 300-450 PCs
- 50 printers
- 15 servers
- 200-300 phones
- 100 cameras
- switches if necessary
We put an L3 switch that will drive the flow, we add it as a gateway.
Question 0 : Under what condition do we make Vlans on it and how critical are they? Only in those cases when we clearly understand that it will be necessary to isolate some kind of network from the outside?
Preparing the zone for PC users.
Question 1 : The PC is greater than 253, which means the /24 mask does not work, therefore, you will need to increase the mask to 23 or 22 so that more devices can fit on one network segment, right?
Question 2 : What subnet addressing should be given with these PCs? I read that the variations 192.168.1.* and 192.168.0.* are undesirable because they are issued to home routers, etc. It turns out that if you issue addresses for 300+ PCs, then you need to make a network, for example, 192.168.111.0/22 (conditionally), right?
Question 3: Follows from the 2nd question. I often met articles that people within the network do not address classically 192.168.*.*, but do it with addresses 10.10.100,*/24 and similar. What is the difference between this numbering? Why make it so complicated and give an address from such a pool? Why not use the standard one?
Question 4 : Do I need to do Vlan for the entire address pool? For example, Vlan111 "users", will situations arise that it is needed specifically for the entire pool of working PCs, or since access to everything is always given, then there is no point in a PC vlan, unlike cameras or telephony, where there may be access restrictions to other networks?
After we have made a network for workstations, we move on to the servers.
Question 5: Is it better to address servers in the same sequence as user PCs? If users were on the 111.* network, then the servers can be made on the 110.*/24 network, don't you need to give fundamentally different networks?
Question 6 : Is it best to make a separate Vlan for servers and set up routing between all the others on L3 at once? Adding servers to the subnet with user PCs 111.*/2 isn't a better solution?
Cameras and phones.
Question 7 : Telephony has its own voice Vlan, as I understand it. How justified is it to plug the phone into the network, and plug the PC into the phone in order to use one common socket instead of two? In addition to saving money, what is the point of this action in terms of risks? In fact, this turns out to be an additional point of failure in the PC, if the network on the phone fails.
Question 8 : It’s better to immediately make a network with cameras a separate Vlan, or it’s generally better to install a separate switch so that 24/7 traffic turns only on it, and on this switch, on one port, throw the Vlan into another switch to access the desired server / employee to these cameras?
Printer.
Question 9 : Do I need to make a separate Vlan for printers or is it recommended to add them to a common subnet with user PCs?
Perhaps I missed some other points, and tell me what to pay attention to in addition.
Answer the question
In order to leave comments, you need to log in
We put an L3 switch that will drive the flow, we add it as a gateway.
I will describe my working scheme, it is simple and logical and very easy to scale.
1. org. is taken as a basis. the structure of the organization and the principle of paranoia (accountants faint if they see a computer of personnel officers in a network environment or, God forbid, mere mortals).
That is, the number of subnets = the number of org. divisions.
2. the principle of distribution of networks and vlan. VLAN ID N contains a network like 192.168.nx/24. n in the range from 2 to 130 (yes, I have a lot of subnets, each with a conditional dimension of 2 to 200 devices).
With subnets other than /24, sudden problems can arise - some devices cannot accept a different mask over DHCP the first time (my network printers and Windows 95 were buggy). The network may be 10.xyz - this is a matter of taste, the integrator tried to impose a scheme on me where the digits are the floor and the switch number, but this would be logical for a homogeneous residential building, but not for an organization where one structural unit can occupy premises on different floors and connected to different switches.
3. If network printers are assigned to subdivisions and are located in the same office with them, then the printer falls into the same subnet as its subdivision.
4. servers sit in their own separate multi-subnet, BUT if it is a bookkeeping server, then an interface with accounting vlan and ip is added to it in order to minimize traffic through the router and yes, the common file server has 130 vlan and ip.
When a database of several gigabytes flies over the network at a speed of 800-900 megabits, severe collisions are possible, especially if it flies from one subnet to another through a router.
5. I have more than 700 voip phones in my network and an exception is made for them - in their vlan subnet /22
6. the access control system and video cameras are generally placed on separate switches.
Video cameras and, for example, audio / video conferencing systems sometimes have mechanisms that use broadcasts / multicasts, and this can become a very big problem - it is controlled by fine-tuning the switches.
7. computer via phone - only with a shortage of sockets. The scheme is working if the switch supports macauthorization to the address (there is an option for the port, then it will not work correctly). In general, it's best not to.
8. I also have a guest subnet, where guests who are not included in the structure get.
9. Wi-Fi access points are strong in the managed network, but broadcast BSSID with a guest vlan and the ability to authorize by poppy with the ability to bind to vkan.
10. I have an enterprise level network on huawei s5700 hardware and it is fashionable to implement it on s2700 + network management server (radius with specific settings) + dhcp + dns. It is better to do DHCP on a separate computer, and not on a switch (switches are sometimes buggy, limited in functionality and it is better not to load them with unnecessary load). I have a router on Linux with the same problem - the switch had restrictions on the number of rules (ACL), and on Linux you could do anything. Also in the management network there is a tftp server for storing and distributing switch configs.
That's how it is. And I strongly advise you to read the documentation and consult with senior comrades. Each element has a huge number of non-obvious nuances.
The 10.0.0.0 network is used because it is convenient to make networks > /24, and in the second octet you can encrypt the geography (office number, region code, area of responsibility, etc., for example, 10.77.XX - the address range for Moscow ).
Of course, you need a bunch of vlans, you will be surprised, but you will have much more of them than you wrote. For example, there will be a management vlan right away (where the network equipment will be managed), a server management vlan (iLo, IPMI, iDRAC or whatever you have), a vlan with "public" IP addresses (will there be Internet in the office?), a server vlan for users (file shares), vlans for technology servers (all sorts of syslogs, zabbixes), sooner or later two vlans for Wi-Fi (guest and internal), vlans for docking networks (from L3 switch to router, between L3 switches, etc.). d.).
The main economic characteristic of the switch is the price per port. As a rule, ports with PoE are used for telephony, they cost 2.5 times more than ports without PoE. With the money saved, it is better to buy spare parts for phones.
Sometime later you will come to setting up QoS for telephony, at least on links from aggregation. This is easiest to do when the phones are allocated to a separate vlan.
For video surveillance, again, as a rule, ports with PoE are used. Cameras, of course, are better in a separate vlan, which is put into a separate port. The traffic from the cameras is capacious, but at the same time does not cause a strong user negative, it will easily beat 1GE.
0. Yes
1. Yes
2. Yes. Only 192.168.111.0 - will not work for mask 22. You need to tighten up the theory on IP addressing.
3. There are no classic / non-classic options. Google "gray IP addresses", you will find out that the 10.0.0.0/8 subnet is quite a "classic" gray subnet. Usually they use the 10th subnet where there are a lot of computers on the network - several thousand.
4. Usually, VLAN0 is used for the "general" vlan, it is also the default vlan. In switches, usually, this VLAN already exists and all ports are included in it as not tagged, and, in my opinion, this cannot be changed.
5. Doesn't matter. Look at the fact. For example, for some reason you have a group of computers in your VLAN or your subnet and it needs its own server,
Keep in mind that placing servers on different subnets will require routing between subnets. This can often be due to additional traffic forwarding that can be avoided by placing the servers on the same subnet as the users.
In general, external factors often play here, for example, additional security requirements for some servers, etc.
6. same as 5.
7. IP telephony, like cameras, also generates network traffic, if there is too much of it, it can interfere with the normal operation of the network. Stupid network overload, additional load on the switch, large lags, etc. By the way - and vice versa, the same is true - if the load on the network increases, then you may encounter the fact that it will become difficult to talk on the phone. And in general, in the event of an emergency on the network, it’s good when at least the phones work. And you know - the failure of the network adapter in any PC, it starts to flood packets into the network and the phones stop working the same - a local apocalypse.
8. Yes.
9. I doubt that there are any recommendations. I have always placed the printer on the same subnet and vlan as its users. Naturally, a separate sub-range of addresses is allocated for the printer, which is not distributed to users via DHCP. If you have a centralized print server, it may be more convenient to allocate the printer to a separate subnet / vlan. In my opinion, if there are no additional requirements / wishes, then there is no point in complicating the scheme.
0. Not only from outside, but also outside
1. It is not necessary to shove all PCs into one segment, especially if users are engaged in very diverse tasks.
2. 192.168.x.x is considered bad manners by some due to the fact that most equipment defaults to these addresses, and if you plug a conditional Tupolink into the network without preparation, it is believed that it will cause more problems than if it were plugged into 10.х.х.х, and also if you have to build VPN networks to remote workers, routing collisions with their dumb links may occur
3. Read the theory of ip addressing - 10 can be divided into smaller subnets, in fact, like 192.168. on /25+ subnets - for what and as described in theory, as well as the pros / cons of these solutions.
4. Bestpractice - each pool has a vlan - in reality, it usually turns out that way.
it usually does not make sense to shove several subnets into a vlan (if not ultra-low-price equipment)
5. Depending on the purpose, IB policy,
etc.
and no prospects - a computer through the phone. If the workplace has only 2 sockets - a printer via a phone, if there are enough sockets and ports on the switches - ideally, each device is separate, and phones are by poe. Otherwise: nothing works for me, because I forgot to plug the phone into the socket.
8. Separate switches and routers, including those with partitions along the perimeters, otherwise the network and information security may be bad
9. By location and requirements
There is already a lot of things, they wrote, but just a cry from the heart: never use the 192.168.0.0/16 subband in corporate networks! As soon as you need to make VPN connections to "home" computers, remember. Not that there is something unsolvable, but why the extra problems? The 172nd and 10th are great, the second is more convenient in terms of remembering subnets or wilans.
It’s bad to turn on computers through phones: firstly, phones tend to freeze (rarely, but it happens), and secondly, there is often 100Mbps and not gigabit, and then it’s more convenient to monitor all devices through managed switches - one network card - one port.
Video surveillance I would take out in a separate physical network. Many cameras are hemorrhoids to set up, besides, the traffic there can be very sickly. And most importantly - through the camera you can get physical access to the grid, especially if there are external cameras.
By the way, another security issue: you don’t need to connect to the network via Wi-Fi, even if you really want to. For Wi-Fi - a separate network or weed, but it is better to use it in general only for accessing the Internet.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question