FabLab Zürich

Internal Network: Unterschied zwischen den Versionen

Seite Diskussion
VisuellWikitext
Keine Bearbeitungszusammenfassung
 
(12 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 10: Zeile 10:
=== Overview ===
=== Overview ===
For performance and security reasons, the internal network is segmented into the logical domains listed below.<br>
For performance and security reasons, the internal network is segmented into the logical domains listed below.<br>
Network segmentation is implemented via VLANs on the switch (layer 2: separation of collision domains) and separate IP subnets (layer 3: separation of broadcast domains)


{|
{|
Zeile 19: Zeile 18:
|    11    ||  LAN      ||  10.10.11.0/24  ||  lan.fablab.local
|    11    ||  LAN      ||  10.10.11.0/24  ||  lan.fablab.local
|-
|-
|    12   ||  WLAN    ||  10.10.12.0/24  ||  wlan.fablab.local
|    13   ||  GUEST    ||  10.10.13.0/24  ||  guest.fablab.local
|-
|-
|    13    ||  GUEST    ||  10.10.13.0/24  ||  guest.fablab.local
|    -    ||  VPN      ||  10.10.23.0/24  ||  vpn.fablab.local
|-
|-
|    69    ||  ATELIER  ||  10.10.69.0/24  ||  atelier.fablab.local
|    69    ||  ATELIER  ||  10.10.69.0/24  ||  atelier.fablab.local
|-
|    88    ||  DMZ      ||  10.10.88.0/24  ||  dmz.fablab.local
|-
|-
|    99    ||  MGMT    ||  10.10.99.0/24  ||  mgmt.fablab.local
|    99    ||  MGMT    ||  10.10.99.0/24  ||  mgmt.fablab.local
|}
|}
Network segmentation is implemented via VLANs on the switch (layer 2: separation of collision domains) and separate IP subnets (layer 3: separation of broadcast domains)


=== Service Network (VLAN 10: "SRV") ===
=== Service Network (VLAN 10: "SRV") ===
Zeile 34: Zeile 37:
|'''Connection:'''||Physical link to specific VLAN port
|'''Connection:'''||Physical link to specific VLAN port
|-
|-
|'''Access:'''||Clients are granted access to services through firewall based on ruleset
|'''Access:'''||Clients (from LAN & WLAN segment) are granted access to services through firewall based on ruleset
|}
|}


Zeile 42: Zeile 45:
flz-nas-01    10.10.10.12
flz-nas-01    10.10.10.12
flz-rpi-01    10.10.10.13
flz-rpi-01    10.10.10.13
flz-pr-01      10.10.10.14
</pre>
</pre>


=== Client LAN (VLAN 11: "LAN") ===
=== Client LAN (VLAN 11: "LAN") ===
{|
{|
|'''Hosts:'''||Wired network clients, i.e. shared workstations, access switches etc
|'''Hosts:'''||Wired and wireless network clients, i.e. shared workstations, access switches, notebooks etc
|-
|-
|'''Connection:'''||Access switches located across the FabLab
|'''Connection:'''||Access switches located across the FabLab or wireless connection to SSID "FabLab"
|-
|-
|'''Access:'''||Anyone with physical access to FabLab
|'''Access:'''||Anyone with physical access to FabLab and/or the wireless key
|}
|}


Zeile 57: Zeile 61:
</pre>
</pre>


=== Wireless LAN (VLAN 12: "WLAN") ===
 
=== Guest WLAN (VLAN 13: "GUEST") ===
{|
{|
|'''Hosts:'''||Wireless network clients, i.e. notebooks, smartphones etc
|'''Hosts:'''||External wireless network clients, i.e. visitor notebooks, smartphones
|-
|-
|'''Connection:'''||Over the air: 2.4 and 5 GHz
|'''Connection:'''||Over the air: 2.4 and 5 GHz
|-
|-
|'''Access:'''||Anyone with the proper WiFi key in close proximity to FabLab
|'''Access:'''||Anyone in close proximity to FabLab
|-
|'''Restrictions:'''||Only allowed to connect to the internet, but no internal services
|}
|}


<pre>
<pre>
flz-wl-xx    10.10.12.100 - 199
flz-gl-xx    10.10.13.100 - 199
</pre>
</pre>


=== Guest WLAN (VLAN 13: "GUEST") ===
 
=== VPN (VLAN -) ===
{|
{|
|'''Hosts:'''||External wireless network clients, i.e. visitor notebooks, smartphones
|'''Hosts:'''||Admin access to FabLab network infrastructure
|-
|-
|'''Connection:'''||Over the air: 2.4 and 5 GHz
|'''Connection:'''||OpenVPN connection to fireewall
|-
|-
|'''Access:'''||Anyone in close proximity to FabLab
|'''Access:'''||Anyone with an OpenVPN profile and password
|-
|-
|'''Restrictions:'''||Only allowed to connect to the internet, but no internal services
|'''Restrictions:'''||Network and systems admins only
|}
|}


Zeile 92: Zeile 100:
|-
|-
|'''Access:'''||Anyone with physical access to the Ateliergemeinschaft
|'''Access:'''||Anyone with physical access to the Ateliergemeinschaft
|-
|'''Status:'''||Not yet implemented
|}
|}


Zeile 99: Zeile 109:


=== Demilitarized Zone (VLAN 88: "DMZ") ===
=== Demilitarized Zone (VLAN 88: "DMZ") ===
{|
 
|'''Hosts:'''||Internet services like website test and dev environments, Diaspora pods, personal internet hosts etc
{| width="664"
|-
| '''Hosts:'''
| Internet services like website test and dev environments, Diaspora pods, personal internet hosts etc
|-
|-
|'''Connection:'''||Physical link to specific VLAN port
| '''Connection:'''
| Physical link to specific VLAN port
|-
|-
|'''Access:'''||Internet and intranet access based on firewall ruleset
| '''Access:'''
| Internet and intranet access based on firewall ruleset
|}
|}
 
<pre>flz-lqf-01    10.10.88.10</pre>
<pre>
tbd
</pre>


=== Management Network (VLAN 99: "MGMT") ===
=== Management Network (VLAN 99: "MGMT") ===

Aktuelle Version vom 1. April 2015, 16:15 Uhr

Network topology

todo: create network topology diagram

Network segments

Overview

For performance and security reasons, the internal network is segmented into the logical domains listed below.

VLAN Name Network Subdomain
10 SRV 10.10.10.0/24 srv.fablab.local
11 LAN 10.10.11.0/24 lan.fablab.local
13 GUEST 10.10.13.0/24 guest.fablab.local
- VPN 10.10.23.0/24 vpn.fablab.local
69 ATELIER 10.10.69.0/24 atelier.fablab.local
88 DMZ 10.10.88.0/24 dmz.fablab.local
99 MGMT 10.10.99.0/24 mgmt.fablab.local

Network segmentation is implemented via VLANs on the switch (layer 2: separation of collision domains) and separate IP subnets (layer 3: separation of broadcast domains)

Service Network (VLAN 10: "SRV")

Hosts: Internal services such as file servers, printers etc
Connection: Physical link to specific VLAN port
Access: Clients (from LAN & WLAN segment) are granted access to services through firewall based on ruleset 
flz-dns-01     10.10.10.10
flz-pos-01     10.10.10.11
flz-nas-01     10.10.10.12
flz-rpi-01     10.10.10.13
flz-pr-01      10.10.10.14

Client LAN (VLAN 11: "LAN")

Hosts: Wired and wireless network clients, i.e. shared workstations, access switches, notebooks etc
Connection: Access switches located across the FabLab or wireless connection to SSID "FabLab"
Access: Anyone with physical access to FabLab and/or the wireless key 
flz-cl-xx      10.10.11.100 - 199


Guest WLAN (VLAN 13: "GUEST")

Hosts: External wireless network clients, i.e. visitor notebooks, smartphones
Connection: Over the air: 2.4 and 5 GHz
Access: Anyone in close proximity to FabLab
Restrictions: Only allowed to connect to the internet, but no internal services 
flz-gl-xx    10.10.13.100 - 199


VPN (VLAN -)

Hosts: Admin access to FabLab network infrastructure
Connection: OpenVPN connection to fireewall
Access: Anyone with an OpenVPN profile and password
Restrictions: Network and systems admins only 
flz-gl-xx    10.10.13.100 - 199

Ateliergemeinschaft (VLAN 69: "ATELIER")

Hosts: Ateliergemeinschaft in the former location of FabLab
Connection: Physical link through wall behind the rack
Access: Anyone with physical access to the Ateliergemeinschaft
Status: Not yet implemented 
tbd

Demilitarized Zone (VLAN 88: "DMZ")

Hosts: Internet services like website test and dev environments, Diaspora pods, personal internet hosts etc
Connection: Physical link to specific VLAN port
Access: Internet and intranet access based on firewall ruleset 
flz-lqf-01    10.10.88.10

Management Network (VLAN 99: "MGMT")

Hosts: Network equipment, server out-of-band management interfaces, serial console servers etc
Connection: Physical link to specific VLAN port
Access: Network and systems admins only 
flz-fw-01     10.10.99.1
flz-fw-02     10.10.99.2
flz-sw-01     10.10.99.11
flz-sw-02     10.10.99.12
flz-ap-01     10.10.99.21

General network config

The gateway (i.e. the firewall) is always located at IP 10.10.x.1, and is currently also acting as the central DHCP, DNS and NTP server, as well as an Avahi (bonjour) proxy.

The various subnets are within the private 10/8 range defined by RFC 1918. The local supernet is 10.10/16, subnetted into various /24 networks.

The third octet of the address always corresponds to the VLAN ID of the respective network.

DHCP settings

Range: 10.10.[VLAN].100 - 199
Subnet mask: 255.255.255.0
Gateway: 10.10.[VLAN].1
DNS: 10.10.[VLAN].1
NTP: 10.10.[VLAN].1
Domain: fablab.local (to make DNS entries unter .fablab.local directly accessible because Windows does not seem to properly respect domain search lists provided by DHCP)

DHCP service is provided on LAN, WLAN and GUEST (the latter getting assigned external nameservers)

DNS

The central DNS server, providing forward and reverse name resolution for the various internal networks is implemented using ISC bind running on the local firewall. In order to make things a bit easier, the internal domain fablab.local has DNS aliases (CNAMEs) pointing to the various servers, e.g. fablabnas.fablab.local is actually a DNS CNAME pointing to flz-nas-01.srv.fablab.local, the 'real' name of the NAS device. This way, clients can simply reach all services by using their hostnames (e.g. 'ping fablabnas')

Abgerufen von „https://wiki.zurich.fablab.ch/index.php?title=Internal_Network&oldid=1702