Beruflich Dokumente
Kultur Dokumente
The aim of this project was to address the underlying network segmentation at the Airports
Authority of Trinidad and Tobago (AATT). They have acquired a few Juniper Ethernet
Switches and distributed it across the 3 storey Head Quarters in Piarco, which the Head of
Information Technology identified as the initial step in revamping the existing network
infrastructure. The following is a proposal for a network segmentation plan that was developed
after thorough analysis of the company’s specific needs with regards to the network. Improving
the performance of any network does require a high quality of techniques and services to
achieve the optimum performance of the network in all aspects. This solution is focused on the
Around the globe there are places that represent the gates of a country, permitting entry and
exit. These places are airports. The importance as well as sensitivity of these places has lead
countries and companies to take the necessary measures to provide these places with the best
possible technology. Preventing any mishap or damage to these facilities is crucial. By using
the best possible technologies, we can ensure that there is a high quality of service at these
areas. Networking is a crucial part of modern airports as the technology used has important
subnetwork, each called a network segment, there is a layer of security that is added. Network
segmentation also increases the overall performance of the network to ensure smooth
operations.
Solution Design
This building has six different departments which are: Information Technology, Security,
Cargo, Accounts, General Administration, Airport Administration. This network solution and
segmentation is accounting for a 40 percent expansion over the next 5 years. It also contains a
Data Centre that houses all production servers for the company. All the departments will have
access to this Data Centre. There is also an Enterprise PBX present in the building. Due to the
sensitive information that these departments contain and communicate amongst each other, We
are going to segment these departments by using VLANS. This will improve the performance
as well as security of the network. When the VLANS are created, in terms of performance, the
network’s congestion will be reduced. This is because on a segmented network there are fewer
hosts on each subnetwork, thus minimising traffic. Segmentation of a network also optimises
the route that data takes. It routes data in the most efficient and effective ways. In terms of
security, if someone were to compromise the network, they would only have access to a
segment in the network.ie. Attackers, once on the network would not have direct access to
resources. By segmenting the network, you also have specific control on visitor access to the
network. Broadcasts will also be contained to the local network which means that internal
network structure will not be visible from outside the network. Segmentation is also a key
factor when troubleshooting a network issue. i.e. The problem will be contained in that segment
of the network.
Physical Network Topology
Layer 2 VLAN Design
By using the information given to me, this VLAN segmentation was proposed based on
intended functionality of the network and the flow of traffic. This segmentation of the network
will offer a large increase in performance and reliability. Layer 2 interfaces communicate
amongst each other faster than layer 3 interfaces. The VLANS that are proposed are detailed
in the table below:
VLAN Rationale
Information Technology This VLAN will house users in the IT
department. Responsible for running and
maintaining network. Due to sensitive
information it is put on a VLAN.
Security This VLAN will house all devices that
deliver security footage and information. i.e.
Camera footage, door entry logs. Due to
sensitive information it is put on a VLAN.
Cargo This VLAN will house all users that deal
with cargo services. i.e. Luggage from
planes, Packages. Due to sensitive
information it is put on a VLAN.
Accounts This VLAN will house users that deal with
the accounting of the company. i.e. Sales,
Transactions etc. Due to sensitive
information it is put on a VLAN.
General Administration This VLAN will house members of
administration. Management information is
stored here thus making the data here
sensitive.
Airport Administration This VLAN will house Airport
Administrators. Management information is
stored here this making the data here
sensitive.
VoIP This VLAN will house all IP phones in the
building. IP phones placed on a VLAN to
reduce degradation of call quality.
Guests This VLAN will accommodate guests that
enter the building. It also prevents guests
from affecting network performance as well
as protecting information within the
company.
Data Centre This VLAN houses the servers that the other
VLANS have access to. Putting this on a
VLAN enhances security.
VLAN Naming & Tagging
The following table shows suggested names and ID tags of the VLANS. There are three
columns; VLAN, Programmed Name and VLAN ID (TAG). VLAN is the actual name of the
department. Programmed name shows the names of the VLANS that are going to be configured
on the network devices. The VLAN ID column shows the tag associated to each VLAN.
of the business and the distribution of VLANS. Complete and detailed information about the
business’s performance needs, types of applications running, type of traffic, number of hosts
and any other element that is under the network. VLANS are broadcast domains and it is good
practice to reduce or control the span of broadcast domains in general. Below is a logical
topology of the network to better visualize the VLANS and their respective ports and VLAN
ID’s
Layer 3 Approach
There is more than one way to achieve Inter-VLAN routing. Using the information given, the
options that are available to the AATT are using Juniper Switches which are compatible with
layer 3 interfaces. There are both layer 2 and 3 switches in this design. The core will be a layer
3 switch and will serve as a distributor. Trunk ports will be configured on the core switch to
allow more than one VLAN’s information to pass through one port. This design will have a
Firewall operating at the layer 3 switch which is the core of the network.
IP Segmentation Design
Core switch was identified as layer 3 and edge switches will be layer 2. Using the existing IP
addressing information, I was able to come up with a table below suggesting the IP addressing
the VLANS mentioned require routing and therefore has an associated IP address to reach a
VLAN. These IP’s are basically the gateways for the associated VLANS. Below is a table that
lists the proposed IP addresses of said VLANS, please note that the actual name of the
departments is listed below for clarification purposes. The subnet masks of the respective
protocol automatically leases IP addresses to connected end devices on the network so that they
can communicate on the network. It does this by selecting an IP address in the specified DHCP
pool and configuring the device’s IPV4 settings accordingly. Lease time of the address can be
changed in different areas of the network, for example, you would want to reduce the lease
time of IP addresses for the guest network as you want to limit their activity on the network.
Appendix
Core switch
Creating VLANS
set vlans IT vlan-id 100
set vlans SECU vlan-id 200
set vlans cargo vlan-id 300
set vlans accts vlan-id 400
set vlans g_admin vlan-id 500
set vlans air_admin vlan-id 600
set vlans voip vlan-id 700
set vlans guests vlan-id 800
set vlans dc vlan-id 900
Configuring trunk ports so that VLANS could pass info through one port so that one
can access data from any department. The guest network is excluded from the members
listing.
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode trunk vlan members all
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode trunk vlan members all
set interface ge-0/0/9 unit 0 family ethernet-switching port-mode trunk vlan members all
Configuring DHCP across the network
IT
set system services dhcp pool 172.168.11.64/26
set system services dhcp pool 172.168.11.64/26 address-range low 172.168.11.66 high
172.168.11.126
set system services dhcp pool 172.168.11.64/26 router 172.168.11.65
Security
set system services dhcp pool 172.168.9.128/25
set system services dhcp pool 172.168.9.128/25 address-range low 172.168.9.130 high
172.168.9.254
set system services dhcp pool 172.168.9.128/25 router 172.168.9.129
Cargo
set system services dhcp pool 172.168.10.192/26
set system services dhcp pool 172.168.10.192/26 address-range low 172.168.10.194 high
172.168.10.254
set system services dhcp pool 172.168.10.192/26 router 172.168.10.193
Accounts
set system services dhcp pool 172.168.10.128/26
set system services dhcp pool 172.168.10.128/26 address-range low 172.168.10.130 high
172.168.10.190
set system services dhcp pool 172.168.10.128/26 router 172.168.10.129
General Administration
set system services dhcp pool 172.168.11.0/26
set system services dhcp pool 172.168.11.0/26 address-range low 172.168.11.2 high
172.168.11.62
set system services dhcp pool 172.168.11.0/26 router 172.168.11.1
Airport Administration
set system services dhcp pool 172.168.9.0/25
set system services dhcp pool 172.168.9.0/25 address-range low 172.168.9.2 high
172.168.9.126
set system services dhcp pool 172.168.9.0/25 router 172.168.9.1
Guests
set system services dhcp pool 172.168.8.0/24
set system services dhcp pool 172.168.8.0/24 address-range low 172.168.8.2 high
172.168.8.254
set system services dhcp pool 172.168.8.0/24 router 172.168.8.1
VoIP
set system services dhcp pool 172.168.10.0/25
set system services dhcp pool 172.168.10.0/25 address-range low 172.168.10.2 high
172.168.10.126
set system services dhcp pool 172.168.10.0/25 router 172.168.10.1
Data Centre
The Data Centre will not get an IP address provided by DHCP, it will be static instead.
You would not want your server to have a different IP address whenever info is needed
from it. Other addresses were made in the case that more servers arrive to the network
Server address: 172.168.11.128/27
Edge Switches
Creating VLANS
set vlans IT vlan-id 100
set vlans SECU vlan-id 200
set vlans cargo vlan-id 300
set vlans accts vlan-id 400
set vlans g_admin vlan-id 500
set vlans air_admin vlan-id 600
set vlans voip vlan-id 700
set vlans guests vlan-id 800
set vlans dc vlan-id 900
Assigning ports for VLANS one port per VLAN for testing purposes as well as making the
ports access ports.
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access vlan members IT
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access vlan members
SECU
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access vlan members cargo
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access vlan members accts
set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access vlan members
g_admin
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access vlan members
air_admin
set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access vlan members voip
set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode access vlan members
guests
set interface ge-0/0/9 unit 0 family ethernet-switching port-mode access vlan members dc
Setting network address for the VLANS
set interfaces vlan unit 100 family inet address 172.168.11.64/26
set interfaces vlan unit 200 family inet address 172.168.9.128/25
set interfaces vlan unit 300 family inet address 172.168.10.192/26
set interfaces vlan unit 400 family inet address 172.168.10.128/26
set interfaces vlan unit 500 family inet address 172.168.11.0/26
set interfaces vlan unit 600 family inet address 172.168.9.0/25
set interfaces vlan unit 700 family inet address 172.168.10.0/25
set interfaces vlan unit 800 family inet address 172.168.8.0/24
set interfaces vlan unit 900 family inet address 172.168.11.128/27