Need some tips in reorganizing our LAN.

Benjamin Lutz benlutz at datacomm.ch
Wed Mar 29 04:43:13 UTC 2006 

Hello jay,

On Wednesday 29 March 2006 05:55, Mark Jayson Alvarez wrote:
> The MIS suggested a LAN transition project, and I was assigned to lead the
> team. Right now, we are only two in this very big team. :-) I'm just
> wondering if I will ever gonna finish this project or not. I have a lot of
> stuffs mixed up in my mind right now but I really don't know where to
> start.

If you don't have it already, I'd start cleaning up the old system without 
changing it's structure. Remove the redudancies, eg unnecessary cascading 
switches, or computers that are no longer used. This will give you a clear 
idea of what the current layout looks like, making it easier to plan changes, 
and with some luck it'll also give you a hardware stockpile that you can then 
recycle for your new LAN.

>  I have these in my mind right now:
>
>  Connectivity
>  1. wired
>  2. wireless

I see no place for a wireless network in a professional network. It's hard to 
secure it (it's possible, encrypted-VPN-over-WLAN works, but it's difficult 
and expensive to set up). Stick with a wired LAN, and there'll be one 
security threat less that you have to worry about.

>  Machines being hooked into the network:
>  1. servers
>  2. workstations

Make a list of the servers you have, and which user groups need them. Make a 
list of which logical user groups there are. Then design a network layout to 
match those needs. You could, for example, put each use group into its own 
subnet, including the servers it needs. Access between user groups could then 
be restricted at will*.

Alternatively, put some or all servers into a dedicated subnet. This will also 
allow protecting them better.

I realize I'm being very unspecific, but you didn't give us all that much 
information.

>  3. testbeds

If there are users accessing those, treat them as servers. Otherwise, isolate 
them from the production network.

>  4. personal (laptops etc.)

This is a difficult one. Personal laptops are machines you have no direct 
control over (you cannot control what software is installed on it), and as 
such they are a high risk factor when they are connected to your network. 
They might introduce malware into the company, or evade your file storage 
procedures.

This is a matter of policy basically. Try to restrict personal machines as 
much as you can. Forbid connecting them to the LAN. If you can't do that, 
maybe have specialized laptop ports that are firewalled off from the rest of 
the network.

>  Will use DHCP

Keep in mind that a DHCP server needs to be in the same subnet it serves. 
Other services do not have this requirement.

>  Will use centralized directory service
>  Will use centralized authentication

Sounds good. Personal laptops will undermine this though, another reason to 
try to keep them away.

>  We have at most 150 employees...
>  We don't have that much to spend on equipments like managed switches,
> powerful servers, etc. We have a lot of political issues that needs to be
> resolved regarding network usage policies

You don't need powerful hardware to manage a network with just 150 employees. 
Some gigabit hardware for popular servers would be nice, but the network 
management will use very little CPU resources (unless of course you decide to 
play around with VPNs). So don't worry about that too much.

>  All these stuffs, basically mixed up in my mind. I really have no idea
> where to start aside from creating a purchase request for a new PC router
> and a multiple port lan card, which I already did a week ago..And it has
> not arrived yet. :-)

It sounds like you're planning to have all subnets connected through this one 
FreeBSD box. This is not necessary. You can put a router in between subnets, 
and have that one located elsewhere, where it's more convenient. It can also 
make perfect sense to have firewalls on these routers. If you isolate user 
groups that need to communicate with each other into different subnets and 
block traffic between them, it'll be easier to contain a worm outbreak.

And oh yeah: in my opinion, the firewall, ie the outermost machine that's 
connected to the internet, should have 2 or 3 interfaces only, and carry data 
only on 2 of them. Do not give it several interfaces for the purpose of 
routing your LAN. It'll make creating an airtight firewall ruleset much more 
difficult. Instead, have one or several routers inside your LAN that handle 
it, that don't need to deal with malicious outside traffic too.

> Please help me.

Feel free to be more specific about your plan or with your questions, I'm sure 
people here will happily comment on or answer them.

I'm also sensing that you feel a bit overwhelmed. Try to keep pressure on 
yourself low, by having as few disruptive changes as necessary. Don't try to 
change your whole network over a weekend, it's too large for that. Install 
the new parts bit by bit, and try to do so with the rest of the old system 
still working, until you change it. In other words: take it slow, and plan 
your steps well.

And here's another thought: reliability and redundancy. Computers fail. If you 
have one central router that everything goes through, not only is it a 
performance choke point, but it'll also bring the whole agency to a 
standstill if it should fail. Maybe there isn't a better way to do things 
given your resources, but if there is, try to limit the impact of potential 
failures. Distribute things like routing, and most of the network will keep 
working if one machine fails. Or, if you can, make things redundant.

Cheers
Benjamin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060329/b0b67e53/attachment-0001.pgp

More information about the freebsd-questions mailing list