|
|
| (5 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| Some thoughts I had based some of the discussion on the mailing list. I thought I should write down what I had seen thus far. This is editable by anyone, so feel free to change/fix/modify however you see fit. The Google Doc at the bottom of the page has this all roughly drawn out, and can also be edited.
| | This was old info, please see http://wiki.lvl1.org/Network instead. |
| | |
| The basic logic is this:
| |
| 1u server acting as main firewall (running PFSense, since it offers flexibility with an easy to use web interface), with single connection to a managed switch (this implies VLAN support is included on switch, something like a Cisco would be perfect).
| |
| Managed switch has numerous ports, with at least one port assigned to each VLAN:
| |
| | |
| VLAN1 - Unused master VLAN, for network admin troubleshooting only (Some Switches give VLAN1 access to other vlan's in some fashion/certain situations, so a better structure/habit would be to not use vlan1 if at all possible)
| |
| | |
| VLAN2 - Default LAN, unsecured Wifi, unfettered access to internet
| |
| | |
| VLAN10 - WAN1, attached to internet
| |
| | |
| VLAN11 - WAN2, attached to backup internet if available
| |
| | |
| VLAN20 - 'Bordertown' lawless unsecured network for testing security/vulnerable machines, limited access to web
| |
| | |
| VLAN30 - LVL1 Infrastructure, where the internal LVL1 servers, routers, equipment will be. Secured from both LAN and Bordertown networks, and has inbound services from WAN
| |
| | |
| The port connected to firewall has VLAN Trunking enabled, so that the router can create a virtual interface for each VLAN and do its firewalling thing.
| |
| | |
| Servers can either be physically plugged into ports assigned to VLAN30, or be virtual on a single host, with trunking enabled so servers can be placed on any available network.
| |
| | |
| | |
| This will get around having to figure out how to cram 5+ nics into a single router box, plus have 4+ separate switches (although the diagram shows a separate switch for each VLAN, thit is not needed). Let the switch handle most of the traffic! Plus this will be an awesome demonstration on what VLANs can do.
| |
| | |
| | |
| https://docs.google.com/drawings/edit?id=1FUTczM_kD1f7YNd-aFeV5x9kdD6ZJHOh5U72SOuVWRo&hl=en&authkey=CLn7sZIG
| |
This was old info, please see http://wiki.lvl1.org/Network instead.