The HARDWARE course: network, servers and communication YBET
|
The HARDWARE course: network, servers and communication YBET |
| YBET | Forum informatique | Hardware training |
13. Exercise: structure of a corporate network |
 |
13.1. The exercise - 13.2. Global architecture of the network - 13.3. Connections of the network administration - commercial - 13.4. Connections building manufacture - order - 13.5. Global connection of network - 13.6. Another point of view: mix protocols on the network
This is the examination of the year 2002-2003 of the course hardware of second year. As the theory without the practice is not used for large thing, let us see a concrete case of the architecture of an installation network (equipment to be implemented) in a company. The examination is done with access to the course. We will use the following chapters.
The Ethernet concentrators (hub, switch, router): Hardware 2 chapter 5
Specificities of the host computers: Hardware 2 chapter 7
Storage and safeguard in network: Hardware 2 chapter 9
Remote connection, safety and division: Hardware 2 chapter 10
Wireless networks: Hardware 2 chapter 11
Electric protections, UPS: Hardware 2 chapter 12
This gathers practically the whole of the course hardware 2, except the network equipment parameter setting. Chapter 17 had been used as examination for the year 2001-2002.
2 buildings to be connected distant of 80 meters (no chance, a road in the medium). Each building has two stages with 2 different departments (either 4 departments). I want absolutely levels of safety (hardware) so that each PC of a department cannot (except authorization by workstation) be connected on another department. This solution of protection will be coupled in practice with software protections which are included in the other courses "Technician PC/network".
The departments are
1. Building 1: 80 PC of manufacture (not of access Internet) and 1 server with a dedicated software. Outdistance maximum with the server 100 meters which we will call Fabrication. This department gathers manufacture, stocks, management of transport... It is the department to be protected. A stop of factory of 1 a.m. costs definitely more expensive the company than a 2 days stop of accountancy.
2. Building 1: 10 commercial computers for orders and 1 dedicated server. Some of them can have access to the service of the server of manufacture on a radius of 30 meters. No access Internet, nor towards building 2. We will call this department orders
3. Building 2: 10 administrative PC: direction, accountancy... on a radius of 30 meters. Valley will call this Administration department
4. Building 2: 10 commercial. and various services on a radius of 30 meters. We will call this commercial department.
Building 2 shelters a small file server (documents Word, Excel...) and a server of application (accountancy), called administrative server. Certain PC can have access to the server "management of order". Building 2 (administration and commercial) must have an access made safe on Internet via a line ADSL. It must be possible for the commercial ones to be connected to the server of the remote company via Internet.
I do not speak about safety via passwords, but well parameter setting TCP/IP or computer equipment. It is definitely surer, even if the passwords users are far from being optional.
Give the diagram of the installation taking again the servers, concentrators used (hub, switch, router, a number of ports), types of connections, cables right or crossed... If you use a HUB or a switch, explain. I explicitly do not ask for the mark and the apparatus of each concentrator. Isn't attention what a switch of 80 ports, it current, manageable?
The installation of the network must be complete, think of the safety measures of installing (electric protections, safeguard) and of the types of servers used. As computer equipment network can break down, the material must be standardized (for example switch) so that one can use a minimum of material of reserve: standard maximum of concentrators in the same way and capacity for the whole of the network to use only one apparatus of replacement for all the company. I do not ask for the parameter settings of the apparatuses, just the structure of the Ethernet network.
You do not occupy too much the budget, but choose the characteristics as a responsible data-processing manager (not need to use of Ethernet gigabit on optical fiber to connect the stations).
To facilitate the installation of the architecture of our network, let us examine the apparatuses to be implemented. We will use the following drawings to facilitate the analysis of the total diagram of the network.
|
|
|
|
|
|
Server |
Switch or Hub Ethernet (here a DES-1024d of Dlink 24 ports 10/100) |
Switch manageable: to authorize (or block) certain connection of PC towards PC (or rather of groups of PC), in more of the passwords sessions users managed by the operating system Here a DGS 3224, 20 ports 10/100 and 2 gigabit ports base of them T (copper) of Dlink |
|
 |
|
|
|
|
Router without Wifi wire, usable like router and bridge. We could use simple a switch without wire in our case. |
A Cable RJ 45 Cross |
modem router ADSL, here a tornado Copperjet 812. It can be used like simple modem in bridge mode |
A firewall - VPN (here a series 100 of Symantec) gives the division of the connection Internet and access of outside to the corporate network |
|
|
|
|
|
|
Router firewall integrated allows of protected connections by blocking certain ports and/or certain beaches of addresses. |
a simple router |
NAS (here a series 300 low cost of IOMEGA) |
A department with the associated PC |
|
|
|
||
|
UPS (here APC 420W, a little weak for a server): electric protection |
Safeguard on tape SDLT (here Quantum models) |
||
Let us analyze the problem according to the various parts and authorized directions of communication. This will divide the problem and approximately will plan the apparatuses to be used on the level connection, routing and safety.
The departments administration and commercial are not very different. They use both: Internet (it is only), the same servers (a file server and a small server of application). On the other hand, a computer of the administration must be able to be connected on the department orders (but not on the department manufacture), the commercial department cannot in no case to connect itself on the departments orders and manufacture. The access of Internet towards the servers of building 2 (administration and commercial) obliges us to use a firewall VPN for connection Internet (here a series 100 of Symantec) and a modem ADSL (here a tornado 812 used in bridge (see chapter 17). With the 20 computers included in building 2, there does not need a very powerful, but sufficiently protected apparatus. As the access of outside is possible, connection must be of fixed type IP. This gives us a good walk of operation for connections.
In black authorized communications (even with blockings), in red those which should be blocked. Ca gives a good idea of the total structure of the installation. The road between the two buildings will block us with a connection on copper or optical fibre. We will have to already use a connection without wire, of type WIFI 802.11B with 11 Mb/s (possibly 802.11B+ with 22 Mb/.s). As speeds of communications are not too important, the use of 100 base T (possibly 1000 Base T for the servers) is sufficient for the whole of the network.
Connection between administration and commercial must let pass certain communications (but not all). Moreover, they use the same servers. We can use is two classes of different addresses (from where the use of routers to connect the 2 departments), that is to say a switch manageable (and thus to block or authorize certain connections) by using the same class of IP addresses. To use 2 router for the communication directly weighed down the parameter setting. Choose the solution even class of address (for example 192.168.10.X) for all two department and let us block the accesses to the level of a switch manageable.
The departments use a server of application and a small file server. Like file server, to reduce the costs, let us use a NAS. As we must connect 20 PC + 1 server +1 NAS + 1 connection building 1, the apparatus to represent (20 ports + 2 Giga) would be insufficient but we could use a switch 8 ports additional. The NAS are seldom in 1000 Base T.
For connection towards the second building we must use a connection without wire. As building 2 can have connection towards the department orders (not towards manufacture) we will use classes of different addresses for building 1. This requires the use of a router. As connection must be protected (blocked starting from building 1 towards 2) more prohibition of connection Internet towards building 2, let us use a router firewall and a router 802.11B in bridge. In this case, the firewall will not be used to block ports: in an internal network, the dynamic ports (1024 - 65535) are used in a random way for the internal communications networks, we cannot block them. We only will block the communications on the beaches of addresses. For example to block the communications of address IP of the VPN towards building 2.
Another solution to block the access "Manufacture" - "administrative" would be of protected the wireless network according to the Mac addresses of the department administration computers
Here our diagrams material network for building 2.
The communications machines towards order are prohibited. Only the communications orders towards factories are authorized (under certain reserves). We again have 2 use potential of the classes of IP addresses. Either two classes different with employment from router, or the same class of address with a switch manageable (with the choice).
The use of a router (and thus 2 classes of addresses) will increase safety. The use of a router with firewall is not obligatory since the bi-directional communication requires two routers whereas we use the communication only order towards manufacture. This prevents already the factory from being connected towards the department orders. The safety starting from Internet is already ensured for recall with the VPN and the firewall placed at the exit of the administrative building towards router WIFI. In the same way, for the communications of building 1 towards building 2, we can either use a router WIFI in bridge mode and a firewall (case below), or a router WIFI without firewall. Safety is in any event ensured by the firewall on other side of the connection without wire.
The number of switch 24 ports for the manufacture part was voluntarily reduced for the clearness of the diagram. It would be necessary minimum 4 of them for us, even 5 to have lines of reserves. The use of only one switch of 96 ports could pose problems length of cables and in the event of breakdown of this only apparatus, all manufacture would be blocked. The use of multiples switch 24 ports makes it possible to have of them 1 of concerning the whole of the building.
For recall, a number of HUBS (less constraint for the switch) is limited to maximum 2 between 2 PC into 100 base T (even if if more is often used), the server manufacture must be connected on the first switch of manufacture
The use of a router firewall between the switch and connection WIFI 802.11B is not necessary if a firewall is installed other side. They would make double employment (what is not too serious) but would oblige a more complex configuration of the infrastructure.
In this case, all the PC are in the same class of address, the use of a router (or router - firewall) is not more necessary between the two departments, it is the switch manageable which will accept or block the communications. In this case (and contrary with the preceding solution), one can block the communications in manner hardware between the PC of the orders and the PC of manufacture).
This solution is definitely more expensive (but protected). It makes it possible nevertheless to connect the servers in 1000 bases T on the switch manageable. The distances between each PC, servers and concentrators are respected since that in 100 base T in 1000 bases T, the maximum distance is 100 meters. For recall, the switch manageable generally work with the MAC addresses. In the event of breakdown of a PC with standard exchange (what is made in practice to minimize the stop), one is likely to have to reprogram the switch. It is not inevitably level of all the maintenance men of factory (without counting the passwords administrators to parameterize the switch). On the other hand, certain models accept the regrouping of station according to protocol IGMP.
It any more but does not remain to connect the 2 corporate networks and to position our safety measures (UPS and safeguard) and to choose the servers.
The servers used for building 2 and the orders are in fact small servers. On the other hand, the server used in manufacture is a muscular server of application (with dedicated software) of bi-processor type. For reasons of data security, we use servers SCSI RAID 1 or better RAID 5. More the processor is large more it consumes. The UPS (of On-line type preferably) will have to be in report/ratio. For recall, power of UPS = consumption by the server X 1,6. For a server consuming 800 W (screen included/understood), the power of the UPS is thus of 800X1,6=1280 W.
For the safeguard of the data, we will use tapes of the type DAT or Super DLT for the capacities of these technologies, but also on the level speed of safeguard.
We could still add on the diagrams of the small UPS for certain stations or concentrators, according to desideratas' of the company.
In the assemblies above, we used exclusively protocol TCP/IP. There is 2 different: the IPX and NetBeui. NetBeui is not routable, the IPX (used mainly by the networks NOVELL), yes. The following diagram goes mixed protocols. To reach a server, the PC must use the same protocol (but it can use some several at the same time).
In the case of administrative building 2, as Internet is used, TCP/IP is obligatory. On the other hand, in building 1 (order and manufacture), Internet is interdict at exit as in entry (intrusion). We clearly will reduce the number of apparatuses while using in building 1 only IPX and for building 2, the PC which must be connected on the order part will use IPX and TCP/IP. This way of proceeding will block all the direct attempts at intrusion of Internet towards building 1. On the other hand, the connection of the department orders towards Fabrication (and screw poured) will be only blocked by the rights of sessions and the communications will be able to also pass from building 1 towards PC IPX of building 2. It is enough to block the divisions in building 2 in IPX.
In this case, we replace a switch manageable by simple a switch (with others of the same type used on the whole of the network) and more any firewall as a whole of the network (with share the VPN for Internet). This solution is not to consider for a factory of 500 PC, but well for average structures. The users of networks NOVELL will probably privilege this solution.
After correction, I takes again the errors of the architecture of the network. Some remarks and errors of the examination are taken again here.
|
Next of the Hardware 2 course > Chapter 14: Specific technologies networks |
|
Ethernet network
Standards of the Ethernet networks |
Course:
UPS
Technology of inverters and UPS
|
Electronic
|
Wireless Network
Communications without wire, standards, speeds... |
1. Network hardware course - 2. Introduction to communication - 3. Base of transmission - 4. Ethernet NIC - 5. Switch, router, ... Ethernet - 6. Internet connections - 7. Networks servers - 8. SCSI, SAS, RAID - 9. Backup Tape drives, NAS, ... - 10. Hardware Security - 11. Wireless and Wifi - 12. UPS, Inverter, Power Supply - 13 . Corporate network - 14. Alternative technologies - 15. Touch Screens, video projectors 17. Exercise: hardware firewall
For the whole of the hardware training
The Hardware 1 course: PC and peripherals, the hardware 2 course: Network, servers and communication.
© YBET data processing 2006
