8

I’m currently planning a large network infrastructure for a University in Ethiopia and would like people’s comments on my planning. Please bear in mind I have never done networking before. The campus covers 80 buildings including laboratories, administration, teaching and dormitories. All buildings will have wired, wireless, VoIP and printers. Each building has 3 floors and a combination of staff and student computers.

Data centre will provide SAN storage and software PBX. Deployment is Win2k8. I am using Cisco equipment throughout the installation with include Cisco 6500 L3 core switches with 1Gbps or 10Gbps fibre connection (MM and SM) to 5 communication rooms. Each communications room also has a Cisco 6500 L3 switch. Each building is connected to the closest communications room using a 1Gbps fibre connection (MM). Each building will have a Cisco 2960 L2 switch with uplink to floor 1 and 2.

I am using vlan’s to separate the subnets as follows:

Building 1 -> VLAN 10 -> Wired computers -> 10.1.0.1 - 10.1.15.254 -> 255.255.240.0

Building 1 -> VLAN 11 -> Student computers -> 10.1.16.1 - 10.1.31.254 -> 255.255.240.0

Building 1 -> VLAN 12 -> Wireless computers -> 10.1.32.1 - 10.1.47.254 -> 255.255.240.0

Building 1 -> VLAN 13 -> VoIP Phones -> 10.1.48.1 - 10.1.63.254 -> 255.255.240.0

Building 1 -> VLAN 14 -> Printers & devices -> 10.1.64.1 - 10.1.79.254 -> 255.255.240.0

Building 2 -> VLAN 20 -> Wired computers -> 10.2.0.1 - 10.2.15.254 -> 255.255.240.0

Building 2 -> VLAN 21 -> Student computers -> 10.2.16.1 - 10.2.31.254 -> 255.255.240.0

Building 2 -> VLAN 22 -> Wireless computers -> 10.2.32.1 - 10.2.47.254 -> 255.255.240.0

Building 2 -> VLAN 23 -> VoIP Phones -> 10.2.48.1 - 10.2.63.254 -> 255.255.240.0

Building 2 -> VLAN 24 -> Printers & devices -> 10.2.64.1 - 10.2.79.254 -> 255.255.240.0

Building 80 -> VLAN 800 -> Wired computers -> 10.80.0.1 - 10.80.15.254 -> 255.255.240.0

Building 80 -> VLAN 801 -> Student computers -> 10.80.16.1 - 10.80.31.254 -> 255.255.240.0

Building 80 -> VLAN 802 -> Wireless computers -> 10.80.32.1 - 10.80.47.254 -> 255.255.240.0

Building 80 -> VLAN 803 -> VoIP Phones -> 10.80.48.1 - 10.80.63.254 -> 255.255.240.0

Building 80 -> VLAN 804 -> Printers & devices -> 10.80.64.1 - 10.80.79.254 -> 255.255.240.0

All buildings -> VLAN 199 -> Management&Native -> 10.199.0.1 - 10.199.15.255 -> 255.255.240.0 I have mapped the IP address to the vlan so it’s easy to trace IP addresses to physical locations.

Questions: 1, Should I have VoIP phones all on the same vlan or separate vlan for each building as I have done above?

2, Same questions as 1 but for the printers?

3, I was planning for the Cisco 6500 L3 switches to do inter-vlan routing between vlan’s. Would this be a good solution. Would I also need a router or hardware firewall if I use L3 switch routing? My broadband input from the ISP is RJ-45 Ethernet connection.

4, Any other comment about my implementation would be appreciated as I’m a total noob at this.

Thanks in advance

Stokie Mike
  • 91
  • 1
  • 5
  • 8
    "Please bear in mind I have never done networking before." -- How on earth did you land this contract?! – Tom O'Connor Mar 27 '11 at 11:34
  • 6
    I'm scared. Never before have the words "Hire a professional" been more apt. – Tom O'Connor Mar 27 '11 at 11:42
  • 2
    If this isn't a homework question, I think you may want re-read @Tom's comments until you hire someone else to do this. – jscott Mar 27 '11 at 11:54
  • 1
    If you're a "total noob" at network implementation then this is too large a project to cut your teeth on. Save yourself and your customer some pain and hire in a consultant to help you. Really. – Rob Moir Mar 27 '11 at 11:59
  • "Hire a professional" I understand your point but I'm a IT volunteer helping the university. A professional is not an option. I also love the challenge. I understand it's big but it's what they want. I'm here to just connect 16 building but plan for all 80. – Stokie Mike Mar 27 '11 at 12:17
  • 7
    I'm finding it hard to understand that there's budget for all that kit, but no budget to hire someone to set it up correctly. – nickgrim Mar 27 '11 at 13:02
  • 11
    I'm not surprised someone with no experience is doing this. Skilled workers are incredibly hard to come by in Africa. The equipment might be donated, there might have been no budget for to buy the equipment. There might be literally no money to spend on these projects. Hiring a professional might be out of the question. If this person doesn't get this done, then they have no network. – Amandasaurus Mar 27 '11 at 13:35
  • Not to make things more complex than they need to be, but since you've already mentioned several machines running 2k8, you will want to be prepared for ipv6. In my experience, you would need to take steps to disable ipv6 on Win2k8 machines if your network doesn't handle it well; however, if possible, it would be better to actually get ipv6 working if you can. – kojiro Mar 27 '11 at 14:17
  • It's true that it is not the best of all possibilities to have someone who has "never done networking before" (but knows about VLANs and stuff?) do this kind of thing but then it might be the only shot they get... And it's OK to mention it, but then he's here (one of the more sensible places on the internet IMHO) *asking questions to people who have experience* and thinking hard about what he is about to do. I guess he has not too bad a chance to come up with something quite reliable. Better than if he was not asking at least. Maybe not perfect -- but that's a matter of taste anyway, no? – scherand Mar 28 '11 at 06:22
  • @Roy McCann @scherand Experience is almost impossible over here, and I've seen systems that cost millions of Birr and don't work. The consultants implement, don't train the people and take the money. The money spent on professionals can be put into hardware, and probability better spent. I appreciate all comments and am working very hard on the planning process and will hopefully provide a reliable, stable and secure system. Thanks again guys!! – Stokie Mike Mar 28 '11 at 16:56
  • @kojiro I was planning on disabling IPv6 for simplicity. Is this what you would recommend? What are my advantages for using IPv6 for my network. Thanks – Stokie Mike Mar 28 '11 at 16:58
  • @Stokie Mike I was just warning you that if you try to put Win2K8 machines on a network that can't support ipv6 you could have trouble. But since you've already planned to disable ipv6, I think that's the best approach. For now... – kojiro Mar 28 '11 at 19:33
  • @kojiro thanks for your advice. I don't want to complicate things anymore than it is, so disabled it will stay. Thanks – Stokie Mike Mar 29 '11 at 15:22
  • @Stokie Mike "I'm a IT volunteer helping the university" How on earth the university gives this big project for you? i know..It's been 2 years but may i know which university was? i live in Ethiopia and interested to know this. – Achu Apr 24 '13 at 14:03

4 Answers4

4

I have a couple of concerns, the first is the size of your VLANs - do you really want 4k machines per VLAN in a student environment? imagine how much harder it'll be to narrow down problem machines/users in that environment, plus the number of users potentially impacted by these problem machines? I'd be tempted to go for much more smaller VLANs myself.

Secondly I'm more worried about someone who considers themselves to be a beginner designing and implementing such a comparatively large and complex network - I'd consider getting in some professionals.

Chopper3
  • 101,299
  • 9
  • 108
  • 239
  • "I'd be tempted to go for much more smaller VLANs myself" so would you suggest dividing the student vlan's into say floors (0,1,2), each having a smaller number of computers? – Stokie Mike Mar 27 '11 at 12:18
  • I do agree on getting professionals in, but I'm a volunteer providing as much help as I can. I have assessed various companies for professional advice and to be honest, I would say I know more and cost a lot less, lol – Stokie Mike Mar 27 '11 at 12:31
  • And I'm a lot more reliable - I hope :) – Stokie Mike Mar 27 '11 at 13:10
  • 3
    Yes, basically, smaller vlans, i.e. break it down by floor/physical segments etc. Oh and it's nice that you're doing your best, but there really is no substitute for experience and qualification. – Chopper3 Mar 27 '11 at 13:26
  • I have added more vlan's into my design that include StaffManagement and student floors for the dormitories; will reduce the impact of hacking and virus popogation. Thanks loads for your help. I totally agree on your comment about experience, but I open to advice and am doing lots of research. – Stokie Mike Mar 28 '11 at 16:39
1

  1. In my opinion, you can put them all in one vlan ( better for vlan management ), but you can also view the alternative, leaving them as you innitially designed them ( beeter for geographical management )

  2. I always split the printers in the vlans they are assigned to ( ex: the marketing dept. printer is in the marketing dept. vlan )

  3. Although it is easier to do the inter-vlan routing with a "router-on-a-stick", if you could it with you're L3 switch it will be better from a performance point of view. ( but a little harder to set up )

  4. How are you managing you're wireless vlans ? one access point per vlan ?

PS: For a begginer in networking you sure got yourself some nice equipment :)

  • Hi, thanks for your input, helps me lots. It is nice kit, I prefer the organisation purchase reliable equipment, my predecessor purchased unmanaged switches that lasted only a few months. Hoping the Cisco kit comes soon. 1, I do like the idea of seperate vlans for VoIP as I can locate the physical location from the vlan number. 2, So you would recommend putting the printers in the same vlan as the computer, simpler. 3, L3 inter-vlan is my preference, have simulated it in Packet-Tracer. 4, Was putting all the wireless AP for a single building in 1 vlan, another building uses a different vlan – Stokie Mike Mar 27 '11 at 12:23
  • 4. Again with the wireless, what equipment are you using? how many access points are there in the network? what are the buildings made of ? Do the walls allow the radio waves to pass through ? Do the channels overlap ? Is there a need for security ? Encryption ? ( Just some more thoughts from the top of my head ) –  Mar 27 '11 at 18:46
  • Ok, I'm starting with 50 access points spread over 15 small buildings. Between one and two access point is used per floor. The buildings are very think concrete walls with embedder steel bars. I have worked out that radio waves will pass through 3 walls in a line. The changes will overlap between floors - is this ok? No need for security I believe, will be using RADIUS server with LDAP auth. Thanks – Stokie Mike Mar 28 '11 at 16:59
1

I notice you haven't distinguished any networks/computer types by risk or by quality of service.

I would have a think about what machines on any of your networks may contain sensitive data (medical/personal/financial) and create separate VLANs for them so you can manage and audit access. Universities tend to have a culture of open and free access, but you need to look at locking down access where necessary to prevent fraud, blackmail, data destruction etc.

Also look at where your VOIP kit sits - if it is all on purely logical VLANs then make sure the QoS is set for it, otherwise when the networks are busy you will find VOIP unusable.

Update on VOIP : VOIP is much more sensitive to latency, jitter and other issues which TCP/IP is mostly immune to. Data packets can arrive at odd times, or even out of order and the TCP/IP stack rebuild the information stream pretty well. With voice traffic you notice jitter or missing packets very easily, and above a really low threshold voice traffic becomes unsuable. You can improve the quality by adding latency (to allow buffering of more packets) but this also annoys users. What QoS (Quality of Service) lets you do at the router level is prioritise time sensitive traffic at the expense of data traffic. Your data will still get through, but as it is more immune to time issues it doesn't tend to matter.

But my main comments would be - seriously, get a professional in; that is not a small network, and good luck with it, hope it goes well.

Rory Alsop
  • 1,184
  • 11
  • 21
  • My original design had more vlan's to divide the sensitive data, but I was told I had to many vlans. Think I'll revert to my original vlan design then. Please could you explain "Also look at where your VOIP kit sits - if it is all on purely logical VLANs then make sure the QoS is set for it, otherwise when the networks are busy you will find VOIP unusable." Getting a professional in is not an option, the university have asked for volunteers to help. – Stokie Mike Mar 27 '11 at 17:11
  • It's also very exciting project and a great opportunity for me and the University. I have seen other installations done by professionals out here - very badly implemented and unreliable. Thanks again. – Stokie Mike Mar 27 '11 at 17:23
  • @Stokie - quick update on VOIP and QoS for you. – Rory Alsop Mar 27 '11 at 21:18
  • Thanks agian for your help. I am using the L3 switch for inter-vlan routing, can I do QoS on there (Cisco 6500 Sup 720)? – Stokie Mike Mar 28 '11 at 08:32
  • Found some information about QoS and Cisco 6500 at http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_item09186a00804d2e3a.shtml – Stokie Mike Mar 28 '11 at 08:41
0

Some references:

http://www.cisco.com/en/US/netsol/ns742/networking_solutions_program_category_home.html

http://www.cisco.com/en/US/netsol/ns826/networking_solutions_program_home.html

There are a couple of suggestions for education on these links, and reference designs.

conexiva
  • 1