The problem
The business has HQ and two branch offices. The HQ are located in three buildings and the production line is taking up two of them. The third one is a four floor building that houses the management and R&D departments, each taking up half the space. There are two wiring closets on every floor, the central wiring closet is on the ground floor which is where all the servers such as domain, file, e-mail, bussines, Intranet, testing and DMZ servers (WWW, FTP, e-mail and business applications) are located. Also, the connection to the ISP and ISP's MPLS connections to the remote offices are located here. There are optical fibres running from the central wiring closet to the production line buildings. The endpoints of these optical fibres are in the aggregation wiring closets of the production line buildings. Each of these two buildings has 8 local wiring closets that are connected to the central wiring closet. The users, machines, printers, plotters and photocopiers are connected to these local wiring closets. Each of the remote offices has a warehouse and a smaller production line, one of them also has a local management department. Each of the remote locations has some R&D and a minimal business administration department. The R&D and production line servers are located on the remote location but the central location's business applications servers are used. The Internet is accessible only through the HQ.
The business wants to redesign the Local Area Network on all three locations. All users should have an access port speed of 10/100/1000 including PoE support. The backbone links should all be 10G, the servers should also be connected to 10G ports. To ensure a new level of network safety an 802.1X authentication (integrated with the LDAP domain server) is planned. Every location should now have a direct access to the Internet and the firewalls should be centrally managed which would enable simpler configuration and the use of common security policies. The firewalls should not only enable VPNs and traffic control at the Layer 4, but should also have higher layers functionality (antivirus, antispam, IPS, web filtering, DDOS attacks prevention...). To ensure uninterrupted business services the redundancy at the physical and logical layers of the network is required. A new wireless network based on the IEEE 802.11n-2009 standard is also planned. The WLAN network should enable guest Internet access, employee mobility and the mobility of production line and warehouse staff. Network coverage between the HQ buildings is also required. The WLAN should provide a high level of security and the authentication should be integrated with the LDAP domain server for easy central user access management. The entire network should support IPv4 and IPv6 in dual-stack.
An important aspect of the new LAN is the Disaster Recovery Centre (DRC) that the business wants to build at one of their remote offices that has appropriate space. The DRC should ensure the continuity of the business services in the event of a disaster and security on the highest level. The communication links should guarantee an appropriate bandwidth, the links should also be redundant. Since the company only has a minimum number of internal network administrators, the solution should meet the networking demands for at least the next five years, the network management should be simple and the network throughput and dependability as high as possible.
The solution
The customer's requirements call for a design using a central modular Layer 3 switch at the HQ. To ensure redundancy the central switch should have redundant power supplies, redundant supervisors, redundant switch fabric modules and redundant interface modules including an appropriate number of free module slots for future upgrades. Servers will be connected to the 10G Base-X, 1000 Base-X or 10/100/1000 Base-T Ethernet ports. 10G Base-X modules will be used to connect the edge wiring closets' switches and to connect the aggregation wiring closets' switches in the production line buildings. These two aggregation switches are smaller Layer 3 modular switches using redundant power supplies, redundant supervisor modules, redundant 10G Base-X interface modules and a minimal amount of free module slots for future upgrades. The central switch will be connected to the aggregation switches using two 10G-Base-LR connections in an 802.3ad protocol trunk link that will have two modules as an endpoint (DLAG). The 24 or 48 port edge switches will have 10/100/1000 PoE ports to connect users and devices. In case there's a need for more access ports, the edge wiring closet will have multiple stacked switches. The edge switch (or stack of switches) will have a 10G Base-LRM primary link to the central or aggregation switch, the backup link will be connected to the neighboring switch. The ring will be done using the 802.1D-2004 RSTP protocol.
The two remote offices will each have a mid-sized Layer 3 modular switch, which will be used to connect to the edge switches and to connect the servers. The switches will have redundant power supplies, redundant supervisor modules, redundant 10G Base-X interface modules, redundant 10/100/1000 Base-T and 1000 Base-X interfaces and a minimal amount of free module slots for future upgrades. The edge switches will be the same as in the HQ using the same type of links. Regarding the logical layer, the network will be segmented into VLAN networks, on each location there will be management, server, internet access and multiple user networks for various departments. VLAN networks will be routed on the central and aggregation switches. OSPF will be used to dynamically route the traffic between them. The use of the DRC location requires a high-speed connection and it turns out the most rational (price/performance) decision is to get an Ethernet radio link. The distances between the locations allow us to use two Ethernet radio links that have a bandwidth of 360 Mbits. The radio links will be used between the central location and the first remote office, which is also where the DRC is located. To guarantee a secure transmission of data Layer 2 hardware encryptors will be used. These encryptors do not cause any traffic overhead and do not introduce delay. MPLS network will be used for backup links where the traffic will be secured using site-to-site IPsec VPNs between the firewalls.
The 802.1X protocol user authentication will be realized by connecting the LDAP server to the switches. The 802.1X authentication uses the DHCP protocol, which will be implemented using the Infoblox appliances. These also run DNS, NTP, FTP, TFTP and HTTP servers. In addition an Infoblox appliance has IP addressing management functions such as switch ports allocation control and ports allocation statistics. It also enables locating physical plug-ins of certain devices. Another advantage of an Infoblox appliance is the fact, that it is connected into the network as a single system. Thus the appliances offer greater reliability and dependability on a physical and logical layer. The solution calls for two redundant appliances at the central location and for one at each remote office. They will function as DNS and NTP servers and will be used to manage the IP addressing (IPAM).
Internet access will be secured using UTM firewalls that enable traffic control and a secure remote access. The central firewall will be built using two devices that can operate in two different modes, which provides high reliability and dependability. The remote access will be done by integrating a domain LDAP server and one-time passwords.
The wireless network will be available on every location using a wireless network controller and access points (APs). Enough APs will be used to achieve the required coverage. Outdoor APs that can also be used in a wireless mesh, will be used to cover the outside areas. The wireless network controllers will be integrated the domain LDAP server. APs will primarily use the controller on their location and a remote controller in the event of its failure. All wireless traffic will be controlled on a UTM firewall interface.
The advantages
The redesigned network is a reliable communication network that meets the current and is ready for communication demands of the business in the future. The physical and logical layer redundancy offer high network availability. High local network bandwidth and high throughput of the Internet work links enable the use of data intensive applications inside the local network and between the remote networks. High security of local or remote network access and secure data transfer over public or wireless links is guaranteed. The proposed solution includes enough free switch ports and free switch module slots for future upgrades. PoE switch support enables the use of IP telephony and remote powering of wireless APs. The WiFi network enables mobility of employees at a dynamic workplace and guest users' Internet access. Network availability is enhanced by using a centrally managed homogeneous system of Infoblox appliances for DHCP, DNS and NTP services, which also means less time spent on network management. The DRC location will prevent damages due to data loss and/or business operation outage in case of loss of the primary HQ location. Another consequence of the DRC is higher network availability. The UTM firewalls ensure a high level of network security in a single box and also enable remote access. The integration of network devices with a LDAP server simplifies network access management as this takes less time and doesn't require special network-related skills. Network management software also reduces time, required for network management as they can alert the administrators immediately, when a defined incident takes place. Taking in mind the current initiative for greener computing and lower energy consumption, it should be noted that the redesigned network will use much less electricity, which will in turn lower the amount of heat that needs to be dissipated.
