Internal Network: Unterschied zwischen den Versionen
Zeile 26: | Zeile 26: | ||
Hosts: Internal services such as file servers, printers etc | Hosts: Internal services such as file servers, printers etc | ||
Connection: Physical link to specific VLAN port | Connection: Physical link to specific VLAN port | ||
Access: Clients are granted access to services through firewall based on ruleset | Access: Clients are granted access to services through firewall based on ruleset | ||
< | <pre> | ||
flz-dns-01 10.10.10.10 | |||
flz-pos-01 10.10.10.11 | |||
flz-nas-01 10.10.10.12 | |||
</pre> | |||
'''Client LAN (VLAN 11: "LAN")''' | '''Client LAN (VLAN 11: "LAN")''' | ||
Zeile 39: | Zeile 41: | ||
Access: Anyone with physical access to FabLab | Access: Anyone with physical access to FabLab | ||
<pre> | |||
flz-cl-xx 10.10.11.100 - 199 | |||
</pre> | |||
'''Wireless LAN (VLAN 12: "WLAN")''' | '''Wireless LAN (VLAN 12: "WLAN")''' | ||
Zeile 48: | Zeile 51: | ||
Access: Anyone with the proper WiFi key in close proximity to FabLab | Access: Anyone with the proper WiFi key in close proximity to FabLab | ||
<pre> | |||
flz-wl-xx 10.10.12.100 - 199 | |||
</pre> | |||
'''Guest WLAN (VLAN 13: "GUEST")''' | '''Guest WLAN (VLAN 13: "GUEST")''' | ||
Zeile 58: | Zeile 62: | ||
Restrictions: Is only allowed to connect to the internet, but no internal services | Restrictions: Is only allowed to connect to the internet, but no internal services | ||
<pre> | |||
flz-gl-xx 10.10.13.100 - 199 | |||
</pre> | |||
'''Ateliergemeinschaft (VLAN 69: "ATELIER")''' | '''Ateliergemeinschaft (VLAN 69: "ATELIER")''' | ||
Zeile 76: | Zeile 81: | ||
Access: Internet and intranet access based on firewall ruleset | Access: Internet and intranet access based on firewall ruleset | ||
tbd | |||
Zeile 85: | Zeile 90: | ||
Access: Network and systems admins only | Access: Network and systems admins only | ||
<pre> | |||
flz-fw-01 10.10.99.1 | |||
flz-fw-02 10.10.99.2 | |||
flz-sw-01 10.10.99.11 | |||
flz-sw-02 10.10.99.12 | |||
flz-ap-01 10.10.99.21 | |||
</pre> | |||
== General network config == | == General network config == |
Version vom 3. Mai 2014, 18:02 Uhr
Network topology
Network segments
The internal network is segmented into the following logical domains, implemented via VLANs on the switch and separate IP subnets:
VLAN | Name | Network | Subdomain | Purpose |
10 | SRV | 10.10.10.0/24 | srv.fablab.local | Service network: Servers, printers etc |
11 | LAN | 10.10.11.0/24 | lan.fablab.local | Local Area Network: Clients using Ethernet cable infrastructure |
12 | WLAN | 10.10.12.0/24 | wlan.fablab.local | Wireless Network: Authenticated clients using WiFi infrastructure |
13 | GUEST | 10.10.13.0/24 | guest.fablab.local | Guest Network: Unauthenticated cliens using WiFi infrastructure |
69 | ATELIER | 10.10.69.0/24 | atelier.fablab.local | Ateliergemeinschaft: The Ateliergemeinschaft next door |
99 | MGMT | 10.10.99.0/24 | mgmt.fablab.local | Management network: Management interfaces of switches, access points, servers etc |
Network details
Service Network (VLAN 10: "SRV")
Hosts: Internal services such as file servers, printers etc Connection: Physical link to specific VLAN port Access: Clients are granted access to services through firewall based on ruleset
flz-dns-01 10.10.10.10 flz-pos-01 10.10.10.11 flz-nas-01 10.10.10.12
Client LAN (VLAN 11: "LAN")
Hosts: Wired network clients, i.e. shared workstations, access switches etc Connection: Access switches located across the FabLab Access: Anyone with physical access to FabLab
flz-cl-xx 10.10.11.100 - 199
Wireless LAN (VLAN 12: "WLAN")
Hosts: Wireless network clients, i.e. notebooks, smartphones etc Connection: Over the air Access: Anyone with the proper WiFi key in close proximity to FabLab
flz-wl-xx 10.10.12.100 - 199
Guest WLAN (VLAN 13: "GUEST")
Hosts: External wireless network clients, i.e. visitor notebooks, smartphones Connection: Over the air Access: Anyone with the FabLab WiFi key in close proximity to FabLab Restrictions: Is only allowed to connect to the internet, but no internal services
flz-gl-xx 10.10.13.100 - 199
Ateliergemeinschaft (VLAN 69: "ATELIER")
Hosts: Ateliergemeinschaft in the former location of FabLab Connection: Physical link through wall behind the rack Access: Anyone with physical access to the Ateliergemeinschaft
tbd
Demilitarized Zone (VLAN 88: "DMZ")
Hosts: Internet services like website test and dev environments, Diaspora pods, personal internet hosts etc Connection: Physical link to specific VLAN port Access: Internet and intranet access based on firewall ruleset
tbd
Management Network (VLAN 99: "MGMT")
Hosts: Network equipment, server out-of-band management interfaces, serial console servers etc Connection: Physical link to specific VLAN port Access: Network and systems admins only
flz-fw-01 10.10.99.1 flz-fw-02 10.10.99.2 flz-sw-01 10.10.99.11 flz-sw-02 10.10.99.12 flz-ap-01 10.10.99.21
General network config
The gateway (i.e. the firewall) is always located at IP 10.10.x.1, and is currently also acting as the central DHCP, DNS and NTP server, as well as an Avahi (bonjour) proxy.
The various subnets are within the private 10/8 range defined by RFC 1918. The local supernet is 10.10/16, subnetted into various /24 networks.
The third octet of the address always corresponds to the VLAN ID of the respective network.
DHCP settings
Range: 10.10.[VLAN].100 - 199 Subnet mask: 255.255.255.0 Gateway: 10.10.[VLAN].1 DNS: 10.10.[VLAN].1 NTP: 10.10.[VLAN].1 Domain: fablab.local (in order to make DNS entries unter .fablab.local directly accessible because Windows does not seem to properly respect domain search lists provided by DHCP) DHCP service is provided on LAN, WLAN and GUEST (the latter getting assigned external nameservers)
DNS
The central DNS server, providing forward and reverse name resolution for the various internal networks is implemented using ISC bind running on the local firewall. In order to make things a bit easier, the internal domain fablab.local has DNS aliases (CNAMEs) pointing to the various servers, e.g. fablabnas.fablab.local is actually a DNS CNAME pointing to flz-nas-01.srv.fablab.local, the 'real' name of the NAS device. This way, clients can simply reach all services by using their hostnames (e.g. 'ping fablabnas')