Network Design for The Airport

Authority of Trinidad and Tobago

(AATT)
By: Keiron Bisnauth
 Abstract

The aim of this project was to address the underlying network segmentation at the Airports

Authority of Trinidad and Tobago (AATT). They have acquired a few Juniper Ethernet

Switches and distributed it across the 3 storey Head Quarters in Piarco, which the Head of

Information Technology identified as the initial step in revamping the existing network

infrastructure. The following is a proposal for a network segmentation plan that was developed

after thorough analysis of the company’s specific needs with regards to the network. Improving

the performance of any network does require a high quality of techniques and services to

achieve the optimum performance of the network in all aspects. This solution is focused on the

flexibility, performance and reliability of the network.

 Introduction

Around the globe there are places that represent the gates of a country, permitting entry and

exit. These places are airports. The importance as well as sensitivity of these places has lead

countries and companies to take the necessary measures to provide these places with the best

possible technology. Preventing any mishap or damage to these facilities is crucial. By using

the best possible technologies, we can ensure that there is a high quality of service at these

areas. Networking is a crucial part of modern airports as the technology used has important

responsibilities in the network. By segmenting a network or splitting a computer network into

subnetwork, each called a network segment, there is a layer of security that is added. Network

segmentation also increases the overall performance of the network to ensure smooth

operations.
 Solution Design

This building has six different departments which are: Information Technology, Security,

Cargo, Accounts, General Administration, Airport Administration. This network solution and

segmentation is accounting for a 40 percent expansion over the next 5 years. It also contains a

Data Centre that houses all production servers for the company. All the departments will have

access to this Data Centre. There is also an Enterprise PBX present in the building. Due to the

sensitive information that these departments contain and communicate amongst each other, We

are going to segment these departments by using VLANS. This will improve the performance

as well as security of the network. When the VLANS are created, in terms of performance, the

network’s congestion will be reduced. This is because on a segmented network there are fewer

hosts on each subnetwork, thus minimising traffic. Segmentation of a network also optimises

the route that data takes. It routes data in the most efficient and effective ways. In terms of

security, if someone were to compromise the network, they would only have access to a

segment in the network.ie. Attackers, once on the network would not have direct access to

resources. By segmenting the network, you also have specific control on visitor access to the

network. Broadcasts will also be contained to the local network which means that internal

network structure will not be visible from outside the network. Segmentation is also a key

factor when troubleshooting a network issue. i.e. The problem will be contained in that segment

of the network.
Physical Network Topology
 Layer 2 VLAN Design

By using the information given to me, this VLAN segmentation was proposed based on
intended functionality of the network and the flow of traffic. This segmentation of the network
will offer a large increase in performance and reliability. Layer 2 interfaces communicate
amongst each other faster than layer 3 interfaces. The VLANS that are proposed are detailed
in the table below:

VLAN Rationale
Information Technology This VLAN will house users in the IT
department. Responsible for running and
maintaining network. Due to sensitive
information it is put on a VLAN.
Security This VLAN will house all devices that
deliver security footage and information. i.e.
Camera footage, door entry logs. Due to
sensitive information it is put on a VLAN.
Cargo This VLAN will house all users that deal
with cargo services. i.e. Luggage from
planes, Packages. Due to sensitive
information it is put on a VLAN.
Accounts This VLAN will house users that deal with
the accounting of the company. i.e. Sales,
Transactions etc. Due to sensitive
information it is put on a VLAN.
General Administration This VLAN will house members of
administration. Management information is
stored here thus making the data here
sensitive.
Airport Administration This VLAN will house Airport
Administrators. Management information is
stored here this making the data here
sensitive.
VoIP This VLAN will house all IP phones in the
building. IP phones placed on a VLAN to
reduce degradation of call quality.
Guests This VLAN will accommodate guests that
enter the building. It also prevents guests
from affecting network performance as well
as protecting information within the
company.
Data Centre This VLAN houses the servers that the other
VLANS have access to. Putting this on a
VLAN enhances security.
 VLAN Naming & Tagging
The following table shows suggested names and ID tags of the VLANS. There are three
columns; VLAN, Programmed Name and VLAN ID (TAG). VLAN is the actual name of the
department. Programmed name shows the names of the VLANS that are going to be configured
on the network devices. The VLAN ID column shows the tag associated to each VLAN.

VLAN Programmed Name VLAN ID (TAG)

Information Technology IT 100
Security SECU 200
Cargo Cargo 300
Accounts Accts 400
General Administration G_admin 500
Airport Administration Air_admin 600
VoIP VoIP 700
Guests Guests 800
Data Centre DC 900
 VLAN Distribution
Design element- When designing any network, it is critical to fully understand the actual needs

of the business and the distribution of VLANS. Complete and detailed information about the

business’s performance needs, types of applications running, type of traffic, number of hosts

and any other element that is under the network. VLANS are broadcast domains and it is good

practice to reduce or control the span of broadcast domains in general. Below is a logical

topology of the network to better visualize the VLANS and their respective ports and VLAN

ID’s
 Layer 3 Approach
There is more than one way to achieve Inter-VLAN routing. Using the information given, the

options that are available to the AATT are using Juniper Switches which are compatible with

layer 3 interfaces. There are both layer 2 and 3 switches in this design. The core will be a layer

3 switch and will serve as a distributor. Trunk ports will be configured on the core switch to

allow more than one VLAN’s information to pass through one port. This design will have a

Firewall operating at the layer 3 switch which is the core of the network.

IP Segmentation Design

Core switch was identified as layer 3 and edge switches will be layer 2. Using the existing IP

addressing information, I was able to come up with a table below suggesting the IP addressing

design with subnets as well.

 VLAN IP Interfaces
All the mentioned proposed VLANS will be created on both the core and edge switches. All

the VLANS mentioned require routing and therefore has an associated IP address to reach a

VLAN. These IP’s are basically the gateways for the associated VLANS. Below is a table that

lists the proposed IP addresses of said VLANS, please note that the actual name of the

departments is listed below for clarification purposes. The subnet masks of the respective

departments are listed as well.

VLAN IP Address Subnet Mask

Information Technology 172.168.11.64/26 255.255.255.192

Security 172.168.9.128/25 255.255.255.128

Cargo 172.168.10.192/26 255.255.255.192

Accounts 172.168.10.128/26 255.255.255.192

General Administration 172.168.11.0/26 255.255.255.192

Airport Administration 172.168.9.0/25 255.255.255.128

VoIP 172.168.10.0/25 255.255.255.128

Guests 172.168.8.0/24 255.255.255.0

Data Centre 172.168.11.128/27 255.255.255.224

 IP Address Management and Distribution
In any network, the way you distribute IP addresses is important. In this network design, the

allocation of IP address is done by DHCP or Dynamic Host Configuration Protocol. This

protocol automatically leases IP addresses to connected end devices on the network so that they

can communicate on the network. It does this by selecting an IP address in the specified DHCP

pool and configuring the device’s IPV4 settings accordingly. Lease time of the address can be

changed in different areas of the network, for example, you would want to reduce the lease

time of IP addresses for the guest network as you want to limit their activity on the network.
 Appendix

Below is a list of the configurations that will be programmed on to the switches.

Core switch
Creating VLANS
set vlans IT vlan-id 100
set vlans SECU vlan-id 200
set vlans cargo vlan-id 300
set vlans accts vlan-id 400
set vlans g_admin vlan-id 500
set vlans air_admin vlan-id 600
set vlans voip vlan-id 700
set vlans guests vlan-id 800
set vlans dc vlan-id 900

Setting network address for the VLANS

set interfaces vlan unit 100 family inet address 172.168.11.65/26
set interfaces vlan unit 200 family inet address 172.168.9.129/25
set interfaces vlan unit 300 family inet address 172.168.10.193/26
set interfaces vlan unit 400 family inet address 172.168.10.129/26
set interfaces vlan unit 500 family inet address 172.168.11.1/26
set interfaces vlan unit 600 family inet address 172.168.9.1/25
set interfaces vlan unit 700 family inet address 172.168.10.1/25
set interfaces vlan unit 800 family inet address 172.168.8.1/24
set interfaces vlan unit 900 family inet address 172.168.11.129/27
Configuring VLANS to be layer 3 interfaces
set vlans IT l3-interface vlan.100
set vlans SECU l3-interface vlan.200
set vlans cargo l3-interface vlan.300
set vlans accts l3-interface vlan.400
set vlans g_admin l3-interface vlan.500
set vlans air_admin l3-interface vlan.600
set vlans voip l3-interface vlan.700
set vlans guests l3-interface vlan.800
set vlans dc l3-interface vlan.900

Configuring trunk ports so that VLANS could pass info through one port so that one
can access data from any department. The guest network is excluded from the members
listing.
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk vlan members all
set interface ge-0/0/9 unit 0 family ethernet-switching port-mode trunk vlan members all
Configuring DHCP across the network

IT
set system services dhcp pool 172.168.11.64/26
set system services dhcp pool 172.168.11.64/26 address-range low 172.168.11.66 high
172.168.11.126
set system services dhcp pool 172.168.11.64/26 router 172.168.11.65

Security
set system services dhcp pool 172.168.9.128/25
set system services dhcp pool 172.168.9.128/25 address-range low 172.168.9.130 high
172.168.9.254
set system services dhcp pool 172.168.9.128/25 router 172.168.9.129

Cargo
set system services dhcp pool 172.168.10.192/26
set system services dhcp pool 172.168.10.192/26 address-range low 172.168.10.194 high
172.168.10.254
set system services dhcp pool 172.168.10.192/26 router 172.168.10.193

Accounts
set system services dhcp pool 172.168.10.128/26
set system services dhcp pool 172.168.10.128/26 address-range low 172.168.10.130 high
172.168.10.190
set system services dhcp pool 172.168.10.128/26 router 172.168.10.129

General Administration
set system services dhcp pool 172.168.11.0/26
set system services dhcp pool 172.168.11.0/26 address-range low 172.168.11.2 high
172.168.11.62
set system services dhcp pool 172.168.11.0/26 router 172.168.11.1
Airport Administration
set system services dhcp pool 172.168.9.0/25
set system services dhcp pool 172.168.9.0/25 address-range low 172.168.9.2 high
172.168.9.126
set system services dhcp pool 172.168.9.0/25 router 172.168.9.1

Guests
set system services dhcp pool 172.168.8.0/24
set system services dhcp pool 172.168.8.0/24 address-range low 172.168.8.2 high
172.168.8.254
set system services dhcp pool 172.168.8.0/24 router 172.168.8.1
VoIP
set system services dhcp pool 172.168.10.0/25
set system services dhcp pool 172.168.10.0/25 address-range low 172.168.10.2 high
172.168.10.126
set system services dhcp pool 172.168.10.0/25 router 172.168.10.1

Data Centre
The Data Centre will not get an IP address provided by DHCP, it will be static instead.
You would not want your server to have a different IP address whenever info is needed
from it. Other addresses were made in the case that more servers arrive to the network
Server address: 172.168.11.128/27
 Edge Switches
Creating VLANS
set vlans IT vlan-id 100
set vlans SECU vlan-id 200
set vlans cargo vlan-id 300
set vlans accts vlan-id 400
set vlans g_admin vlan-id 500
set vlans air_admin vlan-id 600
set vlans voip vlan-id 700
set vlans guests vlan-id 800
set vlans dc vlan-id 900

Assigning ports for VLANS one port per VLAN for testing purposes as well as making the
ports access ports.
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access vlan members IT
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access vlan members
SECU
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access vlan members cargo
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access vlan members accts
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access vlan members
g_admin
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access vlan members
air_admin
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access vlan members voip
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode access vlan members
guests
set interface ge-0/0/9 unit 0 family ethernet-switching port-mode access vlan members dc
Setting network address for the VLANS
set interfaces vlan unit 100 family inet address 172.168.11.64/26
set interfaces vlan unit 200 family inet address 172.168.9.128/25
set interfaces vlan unit 300 family inet address 172.168.10.192/26
set interfaces vlan unit 400 family inet address 172.168.10.128/26
set interfaces vlan unit 500 family inet address 172.168.11.0/26
set interfaces vlan unit 600 family inet address 172.168.9.0/25
set interfaces vlan unit 700 family inet address 172.168.10.0/25
set interfaces vlan unit 800 family inet address 172.168.8.0/24
set interfaces vlan unit 900 family inet address 172.168.11.128/27