Schools Layer 3 LAN Design

1
Schools Layer 3 LAN Design
embc Regional Workshop 10th March 2009 Carl
Beckett Solutions Architect, Synetrix
2
Agenda

• Structured Approach
• Layer Three Design
• Physical Topology
• Implementing the Layer Three Design
• Resilient Network Topology

3
Structured Approach

• Why?
• School networks getting larger so management and
  problem determination become important (the
  simpler the better)
• Different applications with different
  requirements
• Curriculum PCs
• Administration PCs (security)
• Laptops for teachers and mobile workers (ease
  of access and security)
• Laptops for students and pupils (ease of
  access)
• IP phones, video (QoS)
• IP enabled cash registers, photocopiers etc
• The relevance of this is proportional to the size
  of the school

4
Should all schools change to this design?

• Eventually.yes!!
• However, in the short term the layer three design
  is strongly recommended for schools that
• Require more IP ranges
• Wish to segment their own network by
  application or function and wish to implement
  security between these or provide special
  parameters (QoS) for certain applications
• Wish to provide some applications to feeder
  schools

5
Recommended Schools Layer Three Design (larger
schools)
WAN inter-connect subnet
EMBC network and internet
EMBC Router
Schools layer three switch(es)
Security rules can be applied to the layer three
switch i.e. the mobile subnet may not be allowed
to communicate with the administration subnet and
some fo the school servers, some pupil subnets
may not be able to access the schools systems
subnet.
All of the IP ranges for the above subnets are
derived from the schools allocated IP range(s).
6
Schools Layer Three Design

• The layer three design shown earlier gives
  schools
• Use of VLANs to sub-divide network
• Control of their own subnets
• Ability to scale their own network
• Ability to implement network level security
  within their own network
• Manageability
• However, it requires the following network
  equipment within the school
• Central layer three switch(es)
• Layer two switches that support VLANs and VLAN
  trunking
• (IEEE 802.1q)

7
Schools Physical Topology Comments

• The hierarchical design provides schools with
• Simple, manageable design (as opposed to
  daisy-chain design)
• Ability to implement security and quality of
  service
• Fully switched network
• An easy to scale network
• However, it requires that schools have fibre or
  good quality UTP installed between each wiring
  closet and the communications room.
• Also, as the design is shown the central switch
  is a single point of failure. This can be
  rectified by installing two switches or
  installing a chassis-based switch with redundant
  components.

8
Schools Physical Topology
School servers
Workgroup switches (VLAN capable) in the wiring
closets
EMBC network and internet
EMBC Router
Layer three switch(es)
Each switch port is allocated to be in one of the
school VLANs
Each inter-connect link is set to trunk the
required VLANs using IEEE 802.1q
A hierarchical design brings about a simple,
manageable network
9
Implementing the layer three design

• (It is assumed that, initially, this change will
  be accompanied by a request for additional IP
  ranges)
• The school will be allocated additional IP ranges
  (either 1 or 4 class C ranges) AND a new range
  known as the WAN inter-connect range (8
  addresses)
• The implementation of this design is DISRUPTIVE.
  It requires an outage of approximately one hour
  and it requires Synetrix / Affiniti to make
  routing changes on the wide area network.
• To ensure the changes are successful and occur
  smoothly, the change process should arrange a
  mutually convenient time when the work can be
  carried out. It should be noted that when the
  Synetrix / Affiniti changes have been made on the
  WAN, the school will NOT be able to access the
  EMBC services or internet UNTIL it has made the
  required changes on its network.

10
Implementing the layer three design the school
changes

• The school will need to complete the following
  steps
• Connect its layer three switch directly to the
  ethernet interface on the EMBC router and
  associate a VLAN with the switch port
• Configure the routing interface for the above
  VLAN with the stated IP address from the WAN
  inter-connect range (at this stage, it should be
  possible to ping the corresponding WAN
  inter-connect IP address on the EMBC router)
• Set up and configure on the layer three switch
  the curriculum and administration VLANs and
  corresponding routing interfaces (these addresses
  are those that were in operation on the EMBC
  router). Do NOT introduce any filters at this
  stage.
• Configure a default route to the EMBC routers
  WAN inter-connect IP address on the layer three
  switch
• TEST CONNECTIVITY from a curriculum (and
  administration) workstation
• Configure additional VLANs and filters between
  VLANs (if required)
• RE-TEST CONNECTIVITY

(Note all workstations will have as their
default route / gateway, the IP address of the
layer three switch corresponding to their VLAN.
These will NOT need amending for the curriculum
and administration VLANs)
11
Schools Physical Topology With Resilience
School servers
Workgroup switches (VLAN capable) in the wiring
closets
EMBC network and internet
EMBC Router
Layer three switches or single chassis-based
layer three switch
Each switch port is allocated to be in one of the
school VLANs
Each workgroup switch has an uplink to each of
the core switches with spanning tree and/or VRRP
being used to achieve automatic failover.