The network includes multiple VLANs and therefore multiple IP subnets. Private IP addresses, in the 10.0.0.0 range, will be used. Network Address Translation (NAT) will be used on the Toronto office perimeter firewall and on the Seattle office perimeter router. Head-Office IP Addressing and Routing ProtocolThe head office needs the following three registered IP addresses:
The perimeter firewall in Toronto has five subnets: one to the Internet, one to the mail relay server, two to the VPN concentrator, and one to the internal network. The servers in the head office will all be in one VLAN, which will be configured as a private VLAN. As explained in Chapter 2, "Switching Design," a private VLAN ensures that if one server is compromised, the hacker would not be able to directly attack the other servers because traffic is restricted by the switch. All VPN tunnels to the head office will be on one subnet, in the private 10.0.0.0 range. The VPN concentrator assigns the address that the VPN client will use on the VPN tunnel after they connect. The VPN concentrator keeps track of the addresses (the Outside Global address to the Outside Local address translation). IP phone voice traffic will be put on a separate VLAN from the data traffic. Each VLAN will be present in only one access layer switch to limit the size of the broadcast domain and eliminate Layer 2 topological loops. Because the private 10.0.0.0 addresses are being used, many host bits are available for subnetting. Thus, large ranges can be used, to allow easy subnet calculations and future growth. Table 12-1 provides the subnet allocations.
The Dynamic Host Configuration Protocol (DHCP) assigns dynamic IP addressing information to users' laptops when they require them. DHCP server functionality will be from the collapsed backbone Layer 3 switches and the branch-office router. The Enhanced Interior Gateway Routing Protocol (EIGRP) is chosen as the routing protocol for the new network because of its flexibility, fast convergence, simple configuration, and scalability features. Branch-Office IP Addressing and Routing ProtocolThe Seattle office router external interface will have a static IP address assigned by its ISP. This router will have a static route to the head office subnets over a VPN tunnel; it will dynamically create a VPN tunnel when traffic is to be sent to the head office. This VPN is considered to be a LAN-to-LAN connection. The branch office is one VLAN. Branch users' laptops will use private addresses on the inside network. These private addresses will be translated by the edge router if the traffic is destined to an external network on the Internet. If the traffic is destined to the head office, the packets, including the private addresses, will be encapsulated inside a VPN tunnel. The servers within the branch office will also be configured on a private VLAN, to provide additional security. Remote User IP Addressing and Routing ProtocolRemote users will be assigned an IP address, either from their HAN if they are located behind a router or firewall at home or from their ISP if they connect directly on the Internet. The VPN concentrator assigns the address that the VPN client will use on the VPN tunnel after they connect. |