What configuration to choose to build a network?

D

denn2022-01-11 03:23:39

Computer networks

denn, 2022-01-11 03:23:39

Hello. Finally received the long-awaited equipment. Now I'm sitting scratching my head with the network configuration.
Initially, I planned like this:
The Mikrotik RB3011 router distributes the RTK provider. This router has IP 10.0.1.2
Devices with IP are connected to this router:

Switch CRS328 10.0.1.3
Active Directory server up on Linux 10.0.1.4
VoIP Asterisk server 10.0.1.5
Small web server on Linux 10.0.1.6
NAS storage 10.0.1.7

Then hAP ac2 access points are connected to the CRS328 switch to distribute Wi-Fi to clients.
Clients via Wi-Fi receive IP 10.0.2.* . These clients should see the equipment connected to the RB3011 router.
Also, there are Wi-Fi printers. Printers will also connect to these points. Their IP is already 10.0.3.* . Clients also need to see them and connect to them.
IP phones will already be with IP 10.0.4.* . For this, a separate switch will most likely be purchased. I have not yet decided how I will develop telephony.

But I was told that I was too wise with these IP divisions. Allegedly, you can go the easy way so that all devices receive IP from the RB3011 router. And the CRS328 switch just to work in bridge mode and distribute PoE to points.

And the question arose. How to proceed?

In general, I decided not to be smart and let everything go by the bridge. But now the question arose with the capsman. Where is the best place to put the controller? On the switch or on the router?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Armenian Radio, 2022-01-11
@gbg

Usually, the network is still designed first, then the hardware is bought. You somehow turned out the other way around, it's strange.
It can be divided into classic zones - Ext, Int and DMZ
Ext includes what should not be available from the inside - for example, guest Wi-Fi
Int - what should not be accessible from the outside - for example, file storage and workstations. Business-critical workstations, such as accounting and the general director, fall into their own separate zone (Int-VIP)
The DMZ gets what should be accessible both from inside and outside - for example, a WWW server and Asterisk.
All these VLANs, firewalls and zones are needed so that in the event of an infection or an external attack, not all cars fly, but only some small fraction (the cryptolocker downloaded by the driver should not get to the station of the gender).

M

Maxim Korneev, 2022-01-12
@MaxLK

on necrotic and so it will do. otherwise a competent answer is more expensive than the long-awaited equipment that is not clear how to use it :)
broke once again from clay and sticks to make candy. bought - go for it!

D

Drno, 2022-01-11
@Drno

push everyone into one net.
into a separate one - only the guest wifi
set up everything, including capsman, on the central router
Everything)

G

graf_Alibert, 2022-01-24
@graf_Alibert

I would divide into subnets - separately management, separately working network and separately guest. Then unwind everything with vlans and configure routing between networks.