Skip to content

Latest commit

 

History

History
189 lines (133 loc) · 8.54 KB

logical_layout.adoc

File metadata and controls

189 lines (133 loc) · 8.54 KB

Logical Network Layout

This document describes the configuration of the active network components.

Stacking

To provide building-to-building connectivity, we use the stacking features of the DGS-3130 series switches. Those switches have 10GBit ports that can be put into a special mode, where they function as a transparent bus between up to 9 switches of that series.

The set of switches connected in that way is referred to as a stack. From the administrators point of view, the switches participating in a stack can be configured as one entity, by connecting to the designated master switch only. The port addressing includes not only the port number, but also the stack ID of the switch they belong to. This ID is configured explicitly before adding a switch to the stack.

Stack ID Location Stack Priority Linked Switches (Stack ID)

1

Local Elec C (Tines 5C)

TBD

4,2

2

TBD

1,7

4

Local Elec A (Tines 3C)

TBD

1,5

5

TBD

4,7

7

Local Elec B (Tines 1)

TBD

2,5

Virtual Local Area Networks (VLANs)

To isolate devices and allow only specific communication relations, while installing only a minimum of physical links (thus reducing costs), it is common practice to define so-called VLANs.

The simplest implementation of this concept is to assign specific switch ports to logical layer 2 local networks. Only ports assigned to the same logical network (VLAN) are visible to each other. To distinguish those VLANs, they are identified by numbers (VLAN IDs).

More advanced concepts exist, to simplify the configuration of typical application scenarios and network topologies. We use two of those, that are implemented by D-Link managed switches:

Both variants allow connectivity between two sets of ports but without implicitly connecting the ports within one of those sets. This is sometimes called the "hotel setup".

VLAN ID assignment

Packets are assigned to specific VLANs by 'tagging' them with a special layer 2 packet header, containing the VLAN ID. In most cases, this happens when untagged ("normal") packets enter a specific switch port that is configured as an "access" or "host" port. They carry that VLAN ID when passing though the switch fabric but loose them as soon as they exit the switch via another access port.

Switch ports can also be configured as "trunk" ports. Those ports only accept or output tagged packets, untouched. That way they can travel to another switch or router, where they are still identifiable with respect to the VLAN they belong to.

VLAN ID numbering

Derived from our physical network layout and the need to effectively separate most devices from each other, we define VLAN IDs as follows:

VLAN ID Purpose

1

default: inter-switch protocols, administration (only)

11

shared internet: Swisscom VLAN for Init7 traffic

100

technical monitoring: uplink to modem with 13 static public IPs { IPP0 .. IPP12 }, also including masquerading NAT + DHCP router

20n

technical monitoring: devices configured for public static IPPn with n = { 1 .. 12 }

4nn

technical monitoring: devices in separate DHCP enabled IPv4 subnets behind masquerading NAT + DHCP router

2000

shared internet: uplink to modem / router for community uplink with public dynamic IP / primary of private VLAN

2100

shared internet: all rooms eligible for community access / isolated of private VLAN

2200

public services (servers)

2300

boisrond WiFi

Management and services

Technical IP subnets

To isolate the DHCP-assigned monitoring devices, each gets its own address range in its own subnet. For simplicity and maximum compatibility, we use class-C subnets even though they only need a single address. The gateway (Edge Router X) has the .1 address in each subnet. The range reserved for DHCP starts from .128.

Device IP subnet VLAN ID

Neovac MCR C

192.168.10.0/24

410

Neovac MCR B

192.168.11.0/24

411

Neovac MCR A1

192.168.12.0/24

412

Neovac MCR A3

192.168.13.0/24

413

Photovoltaique Local Elec C

192.168.20.0/24

420

Photovoltaique Local Elec B

192.168.21.0/24

421

Photovoltaique Local SIN B

192.168.22.0/24

422

Photovoltaique Local Elec A

192.168.23.0/24

423

Temporary / internal use

192.168.30.0/24

430

Sprinkler

192.168.40.0/24

440

e-mobility Local SIN B

192.168.50.0/24

450

e-mobility WiFi charging bots

192.168.51.0/24

451

e-mobility WiFi users

192.168.52.0/24

452

parking WiFi users

10.133.0.0/16

453

chaudières

192.168.60.0/24

460

Common IP subnets

Scope IP address/mask VLAN ID

Management (routers, switches, management services)

10.134.0.0/16

1 (default VLAN)

Shared internet clients routed to Init7 connection and public services

10.133.0.0/16

DHCP ⇒ 10.133.32.1 …​ 10.133.255.254

2000, 2100

Public services

10.132.0.0/16

2200

boisrond WiFi

10.136.0.0/16

2300

Devices

Device(s) Location IP address/mask VLAN ID

NetPlus Modem

Local Elec C (Tines 5C)

bridge

100

DGS-3130 Stack ID 1

10.134.0.1/24

1

DGS-3130 Stack ID 2

10.134.0.2/24

DGS-1210-16

10.134.0.151/24

Edge Router X

10.134.0.152/24

192.168.x.y

4nn

NetPlus static

100

Nokia XS-010X-Q

Local Elec A (Tines 3C)

bridge

11

Mikrotik CCR2004 router

10.133.0.1/16

2000

10.132.0.1/16

2200

10.136.0./16

2300

Init7 DHCP

-

DGS-3130 Stack ID 4

10.134.0.4/24

1

DGS-3130 Stack ID 5

10.134.0.5/24

DGS-1210-16

10.134.0.131/24

Auth (Banana PI M1, server)

10.134.0.132/24

10.132.0.132/16

2200

Services (Raspberry Pi 4, server)

10.134.0.133/16

1

10.132.0.133/16

2200

Archer C80 (WiFi router, boisrond)

10.136.x.y/16 DHCP

2300

DGS-3130 Stack ID 7

Local Elec B (Tines 1)

10.134.0.7/24

1

DGS-1210-16

10.134.0.111/24

RB260GSP

Local SIN B

DHCP / check on Edge Router X

bridge

450

DAP-2610

Parking

10.134.0.112/24

1

bridge

451

452

453

Primary router (Mikrotik CCR2004, building A)

Connections

  • Init7 network (internet) via the Nokia XS-010X-Q bridge. It gets a public IP via DHCP for that interface.

  • internet clients on the isolated VLAN via the main switches.

  • public servers via the services network / VLAN.

Technical router (Edge router X, building C)

Connections

  • NetPlus network (internet) via a bridge from NetPlus. It has a public static IP in a /28 subnet.

  • technical devices, via dedicated VLANs via the main switches

  • management network on the default VLAN

User Authentication

A server "auth" is envisioned to manage VPN users and 802.1X authentication. This server will be available in the management VLAN (to authenticate VPN users) and in the primary VLAN of the shared internet private VLAN (for WPA2-Enterprise access). It has multiple logical interfaces for its single physical connector.

This device will also provide backup storage for the "services" server.

Services

For various community services, a "services" server is present in the services subnet / VLAN.

This device will also provide backup storage for the "auth" server.