Graimer Posted February 26, 2012 Share Posted February 26, 2012 Hey. I'm working on a school project in network-design and I kinda need some help. We have the following task: Design a complete network(network hardware and servers) for a small business(approx 60 users). The business has a hq where 35 people and most of their servers(file server, backup, dns/dhcp, web, mail and nagios) should be. They also have a second office("LA") that should be connected through site-2-site vpn with 15 people and 1 server(for redundant backup and dns). They also have around 5-10 people working around the country, connected through vpn(ssl or something secure and easy). The business isn't very wealthy, so the network setup should be cost-effective. The problem I'm having is chosing the topology, and to know if it works. Lets focus on the HQ. Here, I'm thinking a dual-wan firewall(ex. zywall usg-300 or something similar) as the front router/firewall. One WAN for all the VPN traffic and one for outgoing internet and mail+web servers. What i currently have in mind is the following: - The front firewall creates 3 vlans(with dhcp server): 1 for vpn connections(5-10 people), 1 for clients and 1 for internal servers(file, backup, dns and nagios). - The firewall trunks the vlans to a managed switch that separates vlans into mulitple unmanaged switches(for different rooms and such in the office). - It also has a DMZ port(zone/subnet) that connects to the mail+webserver. - The internal DNS server should host a forward zone(internal.example.com) for all machines in network and reverse zones for each subnet(vlan). DNS lookups for the internet is forwarded to the firewall -> ISP. Incoming dns(www.example.com and such are taken care of by the domain registrar). - The firewall has an ext-wlan zone/subnet for wireless connections that are only allowed internet. - Is it possible for the dns in HQ to be master dns for all subnets(including the LA subnet that comes through site-2-site vpn) so everyone is in internal.example.com? Or should HQ have master zones for their subnets(hq.example.com), and slaves for LA and LA have masters for their own(la.internal.example.com) and slaves for HQ? - Is it possible for the dns to be auto-updated by dhcp with this setup, or does that require a computer running dhcp-servers? Or should we reserve ips to all machines and use client1 for x.x.x.101, client2 for x.x.x.102 etc.. ? What about the ext-wlan zone/subnet? Just forget dns here? - Is this setup ok, or does it have any big flaws? Remember it is a small business that don't have tons of money to spend. Any tips? Also, if I forgot to mention something, just ask.. I would really appreciate if anyone could help me out. We get thrown into this project without having learned much about topology and best practices. We've just learned how dhcp and dns works and such, but not how you actually use it in a network with more then one subnets. Thanks EDIT: forgot to add that the LA office has a firewall with dual-wan also to act as a router/firewall. one wan for site-2-site vpn to hq and the other for internet traffic(to achieve better speed and save bandwith on vpn wan). Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 26, 2012 Veteran Share Posted February 26, 2012 First, I am not going to do you homework assignment. Second, do you math with bandwidth. With any cable/dsl you are going to be limited by your upload. So if you are only getting 1mb up at each site, that is all you are going to have between sites. Add up your sites and your remote users, see how much total bandwidth will be needed. This will tell you how much upload you need at your primary site to keep everyone going at full speed if everyone is connected at the same time. I had a customer that has 20 sites, the main site had a 1.5mb connection that each site connected to. Each site had its own 1.5 mb connection. For everyone to be connected at 1.5 mb at the same time the main site would need to have a 30 mb connection. Because of the misconfigured network each site was only getting around 5km bursts and the remote networks were very slow...the admin didn't understand why. if you are using dns you would have to have everyone on the same dns network. IMO it isn't big enough for subdomains, but that is at the disgression of the class. As to your dhcp/dns...figure out how they work, that will give you the answer. You may have learned about it in class, but if you asked that question you really didn't learn about it...it may have been gone over but it really wasn't gone over into any great detail. Read up on internal dns and external dns, the differences and best practices for internal domain names. Link to comment Share on other sites More sharing options...
Graimer Posted February 26, 2012 Author Share Posted February 26, 2012 Thanks for fast reply. I'd like to add something. :) - This is actually taking place in Norway, and the companies will have Fiber optics lines since they cost as much as DSL here. That means a minimum of 15/15mbits. So upload won't be a bigger problem then download. - What do you mean with the DNS? With site-2-site vpn they would be on the same network, but in a different subnet. Subdomains was an idea, because the dns has to work even if the vpn went down, which means they need their own dns server for local dns and to make sure internet request are forwarded to their firewall and not the hq's. Any better ideas? - I know a bit about how dns and dhcp works. But is there any hardware(firewalls etc.) that supports auto-updating with key to a seperate dns? I'm having problems find a product that can. I don't need model since this is just theory. I just need to know if it is possible. And I didn't want you to do my homework. The network topology is just a small part of the project. I just needed someone to confirm that my current plan was sound, and maybe clarify some things. Or if something was really bad practice. :-) Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 26, 2012 Veteran Share Posted February 26, 2012 You are close with an answer, lets see if I can pry it out of you.... Where is your DNS database? How is it going to stay up when the site goes down, regardless of subdomains or primary domains? How are you going to configure the vpn tunnel? (If the vpn tunnel isn't configured properly, you can forget about dns working if it goes down, they aren't getting anywhere. Many vpns are configured like this with the wizards now, higher end equipment not so much). You don't know enough about dns by your question, there is something that you either haven't gone over or something that was gone over and you were daydreaming during that part. I am posing these questions to help you learn. Link to comment Share on other sites More sharing options...
Japlabot Posted February 26, 2012 Share Posted February 26, 2012 This reminds me that between school and the real world, it is a completely different reality. In the real world a small business would use Dropbox and be done with it. In your homework assignment you would probably have to use standard networking technologies and show how much of it you know. In the real world you would no bother segregating with VLANs either. Too much work, adds overhead and support costs to the network, and no benefit. Link to comment Share on other sites More sharing options...
Graimer Posted February 26, 2012 Author Share Posted February 26, 2012 You are close with an answer, lets see if I can pry it out of you.... Where is your DNS database? How is it going to stay up when the site goes down, regardless of subdomains or primary domains? How are you going to configure the vpn tunnel? (If the vpn tunnel isn't configured properly, you can forget about dns working if it goes down, they aren't getting anywhere. Many vpns are configured like this with the wizards now, higher end equipment not so much). You don't know enough about dns by your question, there is something that you either haven't gone over or something that was gone over and you were daydreaming during that part. I am posing these questions to help you learn. I know, and I appreciate it. Believe me, the teacher ain't that good. He hasn't gone through more then what I know(actually, everything about forwarding and such it self learned). He believes he can say what ex. DNS stands for, and that they have slaves and masters. Done. "The rest you'll figure out yourself." To have working dns if the vpn breaks, I thought about splitting dns in 2. One DNS Server in HQ which has the following zones: hq.example.com master(and reverse masters) and la.example.com(and reverse) slaves. In LA the DNS would be: la.example.com(and reverse) masters, and hq.example.com(and reverse) slaves. Then each server would "backup" the other and both offices would have it's own dns-database in case the sites got seperated(vpn tunnel breaks). How can the setup of the tunnel make a difference? I thought just setup a secure IPsec site-2-site that routes every subnet through for both sites. Only limitation would ext-wlan which of course would be blocked to LA zone(just like it's blocked to any other zones then WAN). This reminds me that between school and the real world, it is a completely different reality. In the real world a small business would use Dropbox and be done with it. In your homework assignment you would probably have to use standard networking technologies and show how much of it you know. In the real world you would no bother segregating with VLANs either. Too much work, adds overhead and support costs to the network, and no benefit. Would a company with 60 employees use dropbox? Also. The VLANs allows security. Any portable devices(like laptops which may have malware) can be used to attack your server. With VLANs it should be easier to add firewall rules that allow just the necessary ports in/out instead of playing with 10 different firewalls(one for each server). Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 26, 2012 Veteran Share Posted February 26, 2012 If you do not enable this part of the VPN tunnel config all traffic will try to go over the VPN. You are very warm with dns. You do not need to do it the way you have it. You can replicate the same dns site. Vlans make lots of sense for various reasons. Separating printers from pcs from servers, different floors, making different acls to block groups from different servers, printers, etc. sure you can have a supernet and a mess of an ip structure but that would be a mess. Dropbox is great for 2-3 users. But when you have terabytes of storage it doesnt make much sense. Link to comment Share on other sites More sharing options...
Graimer Posted February 26, 2012 Author Share Posted February 26, 2012 If you do not enable this part of the VPN tunnel config all traffic will try to go over the VPN. You are very warm with dns. You do not need to do it the way you have it. You can replicate the same dns site. Vlans make lots of sense for various reasons. Separating printers from pcs from servers, different floors, making different acls to block groups from different servers, printers, etc. sure you can have a supernet and a mess of an ip structure but that would be a mess. Dropbox is great for 2-3 users. But when you have terabytes of storage it doesnt make much sense. So you think it would be better to have one dns zone and have HQ holding the master and LA the slave? I was just thinking, if I chose auto-update instead of manual dns based on the ip, what would happend if the vpn broke when a computer tried to update dns? because slaves can't update right? they're read-only? But you think I should have hostnames based on ip and just skip dns for all devices in ext-wlan zone(since they aren't connected to anything else then wlan)? Link to comment Share on other sites More sharing options...
Japlabot Posted February 26, 2012 Share Posted February 26, 2012 I have small business who have 2 offices and 10 travelling consultants and they are absolutely thrilled with Dropbox. Dropbox Teams fits the bill quite nicely for them for the functionality ( & Storage space) that they get out of the software. For the offices (where in this case everyone needs the same permission level), Dropbox is running on the Server and accessed with a WIndows file share instead of having it locally on each PC in the Office. Only the Travelling Consultants keep a local copy of the files they need (using Selective Sync) on their laptops (Which saves a tonne of bandwidth when they are either without Internet access or only on Wireless dongles). Also groups of users who work together with the same access are sharing Dropbox user accounts (Which saves costs on additional accounts, and events are still tracked using their device name if a mistake is made). The server at each site also backs up the Dropbox folder to an Offline backup and an extra redundancy. The work that they do is not sensitive so they don't need any special security requirements (eg: like a Medical Practice would) but Dropbox still uses Encrypted connections (SSL) Probably not the answer your school teacher is looking for, but this is a practical reality.Just saying. +InsaneNutter 1 Share Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 26, 2012 Veteran Share Posted February 26, 2012 again small business, it works and does a fine job. doing it this way the OP has described there is 0 monthy overhead after initial purchase. many startups want as little overhead as possible, when they become more established they make look at other options. If they went with a ms sbs server, they would have dropbox features with sharepoint built into the os...the only limit would be their bandwidth and how much space is on their server. here is the way I have my dns setup AD server main site domain.local AD secondary server at secondary site domain.local there are no subdomains. it all replicates, it all authenticates, if sites go down they resync when the sites come back up. Link to comment Share on other sites More sharing options...
Graimer Posted February 26, 2012 Author Share Posted February 26, 2012 Thanks for both replys.. Last question here now I guess. Is it any big cons with the network design at HQ: (tried to add a drawing, but the forum screwed it up :p) Is 1 big firewall good enough, or should it be a front and back firewall? By that I mean, offloading the front firewall with all the vlan responsiblity, and have a firewall in front of the managed switch to handle the internal. Then the first firewall would only have ext-wlan and dmz to care about(+ link to the next firewall) Because most users are on the internal lans, this would require almost an identical(and just as expensive) firewall, so I'd like to skip it. Bad or okay? ^^ Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 26, 2012 Veteran Share Posted February 26, 2012 1 firewall is fine. you can make acls to only allow certain ports to communicate on the vlan to your primary network through the dmz. (a benefit of vlans) with a high end managed switch. You will need a switch that supports layer 4. This isn't something that you are going to go to your local market and pick up. Link to comment Share on other sites More sharing options...
Graimer Posted February 26, 2012 Author Share Posted February 26, 2012 1 firewall is fine. you can make acls to only allow certain ports to communicate on the vlan to your primary network through the dmz. (a benefit of vlans) with a high end managed switch. You will need a switch that supports layer 4. This isn't something that you are going to go to your local market and pick up. Again it's the cost. L4 swtiches must be a PITA when it comes to the pricetag :p Is a L4 switch worth it to offload the firewall? Wouldn't a firewall do the same thing and be cheaper? Beucase when I thought about it; with my design, all internal traffic would have to be routed using the same firewall as everything else.. : / So then we're back to one of the first questions. Is a front firewall enough to do all the routing and blocking(firewall rules), or should i have a back firewall that takes care of routing and firewall rules internaly? and have a /30 subnet between front firewall and back firewall where traffic with destination outside the internal are going(internet, site-2-site, dmz) and the opposite direction? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 26, 2012 Veteran Share Posted February 26, 2012 yes price tag is usually above 1000 usd. You can make it work with a standard soho firewall and a low end switch. you don't even need a dmz in most small business setups a dmz doesn't exist. either port forwarding or one to one nat with necessary ports open. Link to comment Share on other sites More sharing options...
Graimer Posted February 28, 2012 Author Share Posted February 28, 2012 yes price tag is usually above 1000 usd. You can make it work with a standard soho firewall and a low end switch. you don't even need a dmz in most small business setups a dmz doesn't exist. either port forwarding or one to one nat with necessary ports open. Btw sc302.. if you're still reading this. Why did you suggest a L4 switch? isn't that just called content switch/multilayer switch and have l4-7 support? I googled around for a bit, and it seems that most L3 switches(ip-layer) supports extended acls(which can permit/deny specific ports). At least that it's normal on cisco devices. Am I wrong? Or is L3 switches usually Layer "3.5" switches"(parts of l4 supported, like rules based on ports)? Just trying to learn this. :) Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 28, 2012 Veteran Share Posted February 28, 2012 layer 3 is routing, layer 4 goes into nat. Link to comment Share on other sites More sharing options...
Graimer Posted February 28, 2012 Author Share Posted February 28, 2012 layer 3 is routing, layer 4 goes into nat. I had a firewall to nat out to the internet. so since l3 seems to support extended acls, I am able to route just what I want, and to anywhere I want. so why would I need NATing? I'd just set up a new /30 subnet to the firewall. Am I missing something? :) Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 28, 2012 Veteran Share Posted February 28, 2012 Please give me an example of an acl in a layer 3 switch that blocks 2 /24 networks from accessing each other and allows both of them to communicate to a /26 network or that allows a /26 network to be completely seperated from the rest on the same switch but only allow x, y, z on either of the other networks explicit access while blocking port 21 traffic. Link to comment Share on other sites More sharing options...
Graimer Posted February 29, 2012 Author Share Posted February 29, 2012 Please give me an example of an acl in a layer 3 switch that blocks 2 /24 networks from accessing each other and allows both of them to communicate to a /26 network or that allows a /26 network to be completely seperated from the rest on the same switch but only allow x, y, z on either of the other networks explicit access while blocking port 21 traffic. With L3 the first problem should be done with a normal acl. One for each of the 24 network, where it blocks the other, and allows the 26 and at last either deny og permit any any. right? The second example could be done with an extended acl, as long as it's true that most L3 swtiches support extended acl. Because then you would add the following acl for the traffic coming in to the /26 interface: add the block the port 21 traffic first. Then add a permit line with the x.y.z for every single subnet. Then block any protocol any any. then you would add another one going out, with: block line blocking port 21 for every subnet's x.y.z permit line for every subnet allowing any traffic to x.y.z deny any any any Or? I just recently learned about ACLs, but that should work on a L3 swtich. Again, as long as someone can configrm that L3 switches usually support extended acls. or ? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 29, 2012 Veteran Share Posted February 29, 2012 Marketing can call it whatever they want hell call it layer 2+++ Those are layer 4 functions. Link to comment Share on other sites More sharing options...
Recommended Posts