XYZ is an organization, offices of which are distributed in two different locations. There are three different departments in this organization, and these are to be connected as a part of a single network. Even though these three departments are connected as a single network, there must be some access control that is required for the traffic between the departments. Each of the departments have desktop computers. There are some laptops and servers also that are a part of the network.
This document describes the network design that is proposed for XYZ organization considering ease and efficient connections between devices, staff and customers.
In the modern world, all organizations use computers to make their day-to-day work faster and efficient. These organisations have a lot of computers and servers that need to exchange data between themselves at regular intervals. Here, we will be describing a new network design for XYZ organization which has its offices at two different locations. The office has its main office at Sippy Downs and here they have two floors. Another office is located at Petrie. At the main office, there are 15 staff members on each floor while there are 10 staff members in the other office. Additional to the desktop computers allocated to each employee, there are some laptops and four severs that are a part of the organizations network. As the organization is divided into different departments, we need to have some division in the network so that there can be some access restrictions that can be imposed between the departments. For this to happen, we need to divide the network into different subnets and allocate IP addresses (public and private) based on the IP address range given. Here, we will consider all the requirements that XYZ has from the network and design a network keeping all of them in mind.
2.Network Topology Design:
There are two approaches to design the required network. This can either be top-down apporach or the bottom-top approach. For our design, we will take the top-down approach. This means that, we will start from the main components and slowly design the network to connect the end devices to them.
We will start the network from the entry point into the XYZ organization, the ISPs router (ISP-R). The ISP-R is used to send and receive all the data of XYZ organization to and from the internet and facilitates data transfer between the offices at two different locations. The ISP-R is directly connected to the primary routers at both the office locations. These two routers are called Sippy-R and Petrie-R. Now, these individual outers are responsible for transferring all the data at each of the location to either the internet or the other location office router (using the ISP-R). Now, we need to connect the devices within each of the office to each of these routers. Let us take each of the office separately.
Sippy Office: As this office has two floors and each floor hosts a different department, we need additional hardware devices. We will use switches for extending the network from the router to both the floors and also for the servers. Each of the floor at Sippy office will have one switch which would be directly connected to the router (Sippy-R) (Avin et al;2018). To these switches, the desktop computers and the laptops will be connected. For the servers, we will have two additional switches which will again be directly connected to Sippy-R. The reason for having two switches for servers is because we can divide the network into two different subnets for the servers itself. This way, we can easily restrict the access of individual to the internal and external facing servers. If we place them connected to a single switch, different policies for different kind of server will be difficult to obtain. The primary advantage of having these four switches is to create four different subnets. One for sales department, one for administration department, one for internal servers and one for external client facing servers. Creation of subnets helps us achieve access control between subnets and allows the network admin to configure rules based on organizations policies. So, to conclude, the main office has one router (Sippy-R) and four switches that connect all the devices and totally there are four different subnets.
Petrie Office: This office has only 10 employees and all of them belong to the same department. There is one primary router available at this site which is the Petrie-R. As the department is same, one subnet is sufficient for this office. Hence, we will just have an additional switch that we will connect to Petrie-R and all the desktop computers in this office space will be connected to the switch.
The network topology of the two-office space connects all the devices in the office and creates five different subnets within the office network (Róka,2021).. Three of the subnets are for the three different departments in the organization and the two others are for the servers. All the connections are wired (assumption is made that wireless network is not required for this organization) and the type of cable that would be used is RJ45 Cat5 cables.
IP Addressing Plan:
The IP addressing for XYZ organization is very crucial as the IP address allocation is based on the subnet creation and this is used for access control across departments. As we have already discussed in the above section, there are totally five different subnets within the organizations network. We know that the private IP network address is 192.168.110.0/24 and the public IP network address is 184.108.40.206/27. So, let us start with the calculating the IP address range for each of the subnet. We will calculate for the private IP first.
Subnet 1 (Sales Department):
Even though there are only 15 devices in this department, we will allocate more addresses keeping future growth in mind. As the subnet mask is given as /24 (255.255.255.0), we will keep 30 usable addresses for this subnet. Totally there will be 32 addresses but two cannot be used as these are network address and broadcast address. Hence, the details for this are:
We know, 25 = 32, hence subnet mask required = 32 – 5 = 27 (255.255.255.224)
Network address: 192.168.110.0/27
First usable IP address: 192.168.110.1
Last usable IP address: 192.168.110.30
Broadcast Address: 192.168.110.31
Subnet 2 (Admin Department):
Even this department has 15 members, hence we will again allocate 30 usable addresses for this subnet and a total of 32. Subnet calculation remains the same as for above.
Network address: 192.168.110.32/27
First usable IP address: 192.168.110.33
Last usable IP address: 192.168.110.62
Broadcast address: 192.168.110.63
Subnet 3 (Internal Servers):
There are only two servers that exist for the internal subnet as of now but in the future they might add more. If we take only four addresses for the subnet, only two of them can be used for devices. Hence, we will take total for 8 addresses for both subnet 3 and 4 so that they can have six addresses that can be assigned to devices.
We know 23 = 8. Hence, subnet mask required = 32 – 3 = 29 (255.255.255.248)
Network address: 192.168.110.64/29
First usable IP address: 192.168.110.65
Last usable IP address: 192.168.110.70
Broadcast address: 192.168.110.71
Subnet 4 (External Server):
As the number of servers is 2 only, we will allocate subnet just like we did for subnet 3.
Network Address: 192.168.110.72/29
First usable IP address: 192.168.110.73
Last usable IP address: 192.168.110.78
Broadcast address: 192.168.110.79
Subnet 5 (Production department):
As there are 10 devices, we will allocate 14 usable IP address for this subnet. This means there will be totally 16 addresses in this subnet including the network and the broadcast address.
We know 24 = 16. Hence, subnet mask required = 32 – 4 = 28 (255.255.255.240)
Network address: 192.168.110.80/28
First usable IP address: 192.168.110.81
Last usable IP address: 192.168.110.94
Broadcast address: 192.168.110.95
The subnetting table for XYZ is given below:
|Subnet||Network Address||Subnet Mask||First Usable IP Address||Last Usable IP Address||Broadcast Address|
The addressing table for the network is given below:
|Device||Interface||IP Address||Subnet Mask||Default Gateway|
3.Essential Network Service
In this section, we will be discussing the details of two of the network related services. These are access control and remote login into the network. Let us discuss these one by one.
Access Control: Network security is very important for any organization as there are different kinds of attacks that are possible over the network. There are broadly two categories of breach that can happen to the organization. First is the type when intranet policies are not enforced. These can be inter-department access restriction or access to server etc. Second is the attack that is external to the organization and mostly happens over the internet or some hacker (Le & Zidek, 2020).
For the first kind security breach, we need to have firewall rules in place at different locations. These firewall rules are to be configured at different routers that exist within the organization. For access restriction between the two departments and the different servers at the main office, we need to place the firewall rules at the Sippy-R. While specifying these rules, we need to consider protocol, port, source subnet and destination subnet. For the policy control for production team, we can place firewall rules at the ISP-R router. Routers generally do support firewall configuration using their user interface page. Once the firewall rules are deployed, whenever there is a hit with the rules on traffic arrival, an appropriate action (specified in firewall rule) is taken. We may decide to accept or drop the packet based on organizations policy.
For the second kind of security breach, we need to configure the firewall rules at the ISP-R router. This will be for traffic that is either going out to the internet (as we do not want to send confidential information out) or that coming inside the organization from the internet (as that could contain malware or ransomware etc.).
Remote Login: Many a times, organizations require employees to work from home due to various reasons. However, if not implemented with required security, it can be of great risk to the organizations. As the connection to the office network is made from a public network, we must be sure that the devices that can connect are well known and trusted device. If we allow random devices to connect without validation, then we are exposing the resources on the network to the admin of that device and it could lead to many forms of attacks (Thanh Hai,2021).
To enable staff to connect to internal network safely, there can be two approaches that can be taken. The first approach is whitelisting the MAC addresses of the employee’s devices so that only the known set of devices can connect. Even though this seems like a good approach, this only isn’t sufficient. We need to add additional security as the MAC addresses can be spoofed by attackers. For additional security, we need to make it mandatory for the staff to enter secret credentials. These credentials must be kept confidential by the staff and based on the login credentials, which subnet the user must be mapped to must be decided. This prevents one department staff to be a part of any other subnet other than their departments subnet.
Avin, C., Hercules, A., Loukas, A., & Schmid, S. (2018). rDAN: Toward robust demand-aware network designs. Information Processing Letters, 133, 5-9.
Chen, K., Xu, S., & Haralambides, H. (2020). Determining hub port locations and feeder network designs: The case of China-West Africa trade. Transport Policy, 86, 9-22.
Le, N. D., & Zidek, J. V. (2020). Network designs for monitoring multivariate random spatial fields. In Recent advances in statistics and probability (pp. 191-206). De Gruyter.
Róka, R. (2021). An Effective Evaluation of Wavelength Scheduling for Various WDM-PON Network Designs with Traffic Protection Provision. Symmetry, 13(8), 1540.
Thanh Hai, D. (2021). The Achilles Heel of Some Optical Network Designs and Performance Comparisons. arXiv e-prints, arXiv-2105.