Network Solutions You can Trust
Download Resume

Headquarters Infrastructure Initial Design and Implementation

Hooman Houtaham's avatar

Author

Hooman Houtaham

Network and Security Engineer

Overview:

In November 2012, I joined K-SUN Sanat Iranian Co., a new company focused on producing high-quality computer accessories. My primary responsibility was to design and implement a network infrastructure for the company’s headquarters that would be scalable, secure, and capable of supporting both immediate operational needs and future growth. The project involved a comprehensive approach, covering the design and deployment of core and access layers, wireless LAN integrated with Active Directory, server virtualization using Hyper-V 2012, centralized storage, and advanced network monitoring. A critical aspect of this design was the efficient use of the HP ProLiant DL380 G7 server with RAID 10 for virtual machine (VM) storage and the Dell EMC VNX5200 SAN with RAID 5 as a dedicated file server. The infrastructure was meticulously designed to ensure robust security, high-speed connectivity, and efficient resource management, while also providing secure remote access for employees via VPN.

Objectives:

  • Scalable LAN Architecture: Build a network infrastructure that supports current operations and allows for seamless expansion.
  • High-Speed Connectivity: Implement reliable, high-speed network connectivity to support business-critical applications.
  • Network Security: Deploy robust firewall and endpoint protection to secure the network against internal and external threats.
  • Wireless Coverage: Provide comprehensive wireless coverage integrated with VLANs and Active Directory for secure, segmented access.
  • Centralized Storage: Utilize a SAN solution for centralized file storage and leverage local server storage for VM hosting.
  • Server Virtualization: Utilize Hyper-V 2012 to enhance resource management, flexibility, and server consolidation.
  • Hierarchical IP Addressing: Design a structured IP address plan to simplify management and accommodate future growth.
  • Network Monitoring: Deploy tools to proactively identify and resolve network issues.
  • Active Directory Environment: Establish a centralized authentication and authorization system through Active Directory.
  • Remote Access: Implement VPN services to securely support remote employees.

Technologies Used:

  • Servers: HP ProLiant DL380 G7, featuring dual Intel Xeon processors, 128 GB RAM, and RAID 10 storage for VM hosting.
  • Network Infrastructure: Cisco Catalyst 3850 switches for core routing and Cisco Catalyst 2960 switches for access layer connectivity, configured for high performance and redundancy.
  • Wireless LAN: Cisco Aironet 3600 Series access points managed by a Cisco 5508 Wireless LAN Controller, providing centralized management and comprehensive wireless coverage.
  • Security: Microsoft TMG 2010 firewall and Bitdefender GravityZone deployed on Hyper-V VMs, offering network security and endpoint protection.
  • Virtualization: Microsoft Hyper-V 2012, used to virtualize critical services including Active Directory Domain Services (AD DS), firewall, and network monitoring.
  • Storage:
    • SAN (Dell EMC VNX5200): Dedicated to serving as a centralized file server with RAID 5 for data redundancy and high availability.
    • Local Storage (HP ProLiant DL380 G7): Configured with RAID 10 for hosting VHDX files for virtual machines, optimized for performance and redundancy.
  • Monitoring: SolarWinds Network Performance Monitor (NPM) and SolarWinds Syslog Server for comprehensive network monitoring and logging.

Project Phases:

  1. Planning and Execution:
    • Conducted thorough requirements analysis and designed the network infrastructure to meet the current and future needs of K-SUN Sanat Iranian Co.
    • Coordinated with key stakeholders to ensure the design aligned with business objectives.
  2. IP Address Design:
    • Hierarchical Structure: The network was structured using the 172.16.0.0/16 IP range, with dedicated subnets for each department, simplifying management and supporting future scalability.
    • VLAN Subnets: Each VLAN was assigned a dedicated subnet, enhancing security and enabling efficient network expansion.
    • DHCP Configuration: DHCP servers were configured to manage dynamic IP assignments, with specific ranges reserved for static IPs used by critical infrastructure such as servers, printers, and network devices.
  3. LAN Technologies and Design:
    • Network Topology:
      • Two-Tier Architecture: Utilized a two-tier design with Cisco Catalyst 3850 switches at the core and Catalyst 2960 switches at the access layer, ensuring a clear separation of roles and streamlined management.
      • Core Layer (Catalyst 3850):
        • Layer 3 Switching: Supported inter-VLAN routing and core routing functions.
        • VRRP: Implemented for high availability by creating a virtual router for failover.
        • LACP: Used for link aggregation, increasing bandwidth and redundancy between switches.
      • Access Layer (Catalyst 2960):
        • Layer 2 Switching: Connected end devices with port security, DHCP snooping, and dynamic ARP inspection enabled for security.
        • PoE: Powered IP phones and wireless access points directly through network cables.
  1. VLAN Segmentation:
    • Departmental VLANs: Segmented network traffic by department, improving security and reducing broadcast domains.
    • Inter-VLAN Routing: Handled by the Catalyst 3850 core switches, ensuring efficient traffic management.
    • VTP: Simplified VLAN management across switches.
    • 802.1Q VLAN Tagging: Enabled multiple VLANs over single physical links.
  2. Spanning Tree Protocol (STP):
    • RSTP (802.1w): Ensured rapid convergence and loop prevention.
    • PVST+: Managed separate STP instances per VLAN, optimizing network performance.
    • Root Bridge: Strategically placed at the core for centralized traffic management.
  3. EtherChannel and Link Aggregation:
    • EtherChannel: Combined multiple physical links into a single logical link, enhancing bandwidth and providing redundancy.
    • Load Balancing: Distributed traffic across aggregated links for efficient use of available bandwidth.
  4. High Availability and Redundancy:
    • Redundant Power Supplies: Core and access switches equipped with redundant power supplies for continuous operation.
    • Dual-Homed Uplinks: Access switches connected to core switches via dual uplinks, ensuring connectivity even if one link failed.
    • Failover Testing: Regular testing of redundancy mechanisms to ensure reliable network operations.
  5. Scalability and Future-Proofing:
    • Modular Expansion: Core switches were modular, allowing easy expansion with additional line cards as needed.
    • IPv6 Ready: Designed to support both IPv4 and IPv6, ensuring a smooth transition to future protocols.
    • SDN Compatibility: Prepared for future integration with Software-Defined Networking for centralized control and automation.
  1. Wireless LAN (WLAN):
    • Comprehensive Coverage:
      • Deployment: Installed Cisco Aironet 3600 series access points with internal antennas, providing 802.11n connectivity at both 2.4 GHz and 5 GHz bands, ensuring full coverage across all areas of the headquarters.
      • RF Management: Configured dynamic Radio Frequency (RF) management to automatically adjust power levels and channel assignments, optimizing coverage and reducing interference.
      • High-Density Support: Enabled ClientLink technology to improve performance for legacy 802.11a/g clients in high-density areas, ensuring seamless connectivity for all devices.
    • Centralized Management:
      • Controller Configuration: Deployed Cisco 5508 Wireless LAN Controller (WLC) to manage up to 250 access points, providing centralized configuration, monitoring, and troubleshooting.
      • SSID Segmentation: Configured multiple SSIDs with VLAN tagging for traffic segmentation (e.g., corporate and guest networks), ensuring each SSID was mapped to a corresponding VLAN on the network.
      • Integration with AD: Integrated the WLC with Active Directory for role-based access control, utilizing RADIUS server for 802.1X authentication, enabling seamless user authentication and policy enforcement.
    • Security and Guest Access:
      • WPA2-Enterprise: Implemented WPA2-Enterprise across all SSIDs, with EAP-TLS for certificate-based authentication, providing strong encryption and user authentication.
      • Guest Wi-Fi Configuration: Created a dedicated guest SSID isolated via VLAN, configured with limited bandwidth and access controls, preventing guests from reaching internal network resources.
      • Rogue Detection and Mitigation: Enabled rogue access point detection and automatic containment features on the WLC to protect against unauthorized devices and potential security breaches.
  2. Hyper-V Deployment:
  • Server Virtualization: Microsoft Hyper-V 2012 was used to virtualize critical services on the HP ProLiant DL380 G7 server:
    • Firewall (Microsoft TMG 2010): Virtualized on a VM with 4 vCPUs, 8 GB RAM, and 80 GB storage, configured using a 3-leg template to segregate internal, external, and DMZ traffic.
    • Bitdefender GravityZone: Managed on a VM with 4 vCPUs, 8 GB RAM, and 50 GB storage, providing centralized endpoint protection across the network.
    • Active Directory Domain Services (AD DS): Deployed on two VMs, each with 6 vCPUs, 12 GB RAM, and 100 GB storage. The VMs handled domain authentication, DNS, DHCP, and were configured for redundancy and load balancing to ensure continuous availability. Multi-master replication ensured that changes were synchronized between domain controllers, maintaining data consistency.
    • Network Monitoring: SolarWinds NPM was deployed on a VM with 4 vCPUs, 8 GB RAM, and 100 GB storage, providing real-time monitoring and alerting for the entire network infrastructure.
    • High Availability and Resource Management: Hyper-V’s failover clustering ensured high availability, while Dynamic Memory was enabled across all VMs to optimize resource allocation based on real-time demand.
    • Storage Configuration: The HP ProLiant DL380 G7 was configured with RAID 10 for hosting VHDX files, ensuring optimal performance and data redundancy. RAID 10 provided the benefits of both striping and mirroring, offering increased fault tolerance and faster data access speeds.
  1. Active Directory Implementation:
    • Domain Controllers: AD DS was implemented across two VMs, ensuring redundancy and load balancing. Organizational Units (OUs) were structured according to departmental roles, and Group Policies were deployed to enforce security settings across the network. The integration of DNS and DHCP services into the AD DS infrastructure allowed for efficient network management and ensured that domain-related queries and IP assignments were handled seamlessly.
    • Kerberos Authentication: Implemented for secure user authentication, ensuring that all network services requiring authentication were processed through the AD DS infrastructure.
  2. File Server and SAN Integration:
  • SAN as a File Server: The Dell EMC VNX5200 SAN was designated as the centralized file server for the entire network. Configured with RAID 5, the SAN provided a reliable and high-performance storage solution for all user files, shared departmental data, and corporate documents.
    • Centralized File Access: Network shares were created on the SAN, accessible to various departments and users, with permissions managed through Active Directory. This setup ensured that data was centrally located, easily accessible, and securely managed.
    • Scalability and Redundancy: The SAN’s architecture allowed for easy expansion as storage needs grew, while the RAID 5 configuration provided data redundancy, protecting against hardware failures.
    • Backup and Recovery: Regular backups of the SAN were scheduled to ensure that critical files were protected. In case of data loss or corruption, files could be quickly restored from backups, minimizing downtime.
  1. Network Monitoring and Logging:
  • SolarWinds NPM: Deployed on a dedicated VM, SolarWinds Network Performance Monitor (NPM) provided comprehensive, real-time monitoring of the network infrastructure. This system allowed for proactive issue detection, minimizing downtime and ensuring optimal network performance.
  • SolarWinds Syslog Server: Integrated with NPM, SolarWinds Syslog Server centralized log collection from all network devices, providing a single repository for logs. This server enabled real-time alerting, detailed analysis, and long-term archiving of logs, crucial for troubleshooting, auditing, and maintaining compliance. Syslog data was parsed and categorized to highlight critical events, ensuring that issues could be quickly identified and addressed.

Achievements and Results:

  • Scalable Infrastructure: Successfully deployed a robust network infrastructure at headquarters, supporting current operations and future growth.
  • Secure Wireless Network: Integrated a secure wireless network with seamless access control through Active Directory.
  • Efficient User Management: Centralized user management with AD integration, enhancing security and operational efficiency.
  • High Availability: Virtualized infrastructure ensured minimal downtime, maintaining operational continuity.
  • Proactive Monitoring: Comprehensive network monitoring allowed for early detection and resolution of potential issues.
  • Centralized File Management: The SAN’s role as a centralized file server improved data accessibility and security, with efficient backup and recovery processes in place.

Future Considerations:

  • Firewall and Security Enhancements: Explore upgrades to advanced firewall solutions to further strengthen network security.
  • Wireless Technology Upgrades: Consider 802.11ac wireless technology to improve network performance and coverage.
  • Branch Office Expansion: Plan for network expansion to include branch offices with consistent security and remote access capabilities.
  • DMZ Development: Enhance DMZ for future services like web and mail servers, improving external service offerings.

Skills Gained:

  • Advanced Network Design: Expertise in designing scalable, secure network architectures.
  • Cisco Networking Proficiency: Proficiency in configuring and managing Cisco networking equipment.
  • Security Best Practices: Mastery in implementing network security, including Microsoft TMG 2010 firewall and endpoint protection.
  • Windows Server and AD Management: Advanced skills in managing Windows Server 2012 and deploying AD environments in virtualized settings.
  • SAN and File Server Management: Gained expertise in configuring and managing a SAN as a centralized file server, ensuring data redundancy, scalability, and security.

Project Documentation:

  • Comprehensive Diagrams: Network topology, VLAN assignments, and wireless integration plans.
  • IP Address Scheme Documentation: Detailed IP address allocations, subnetting, and DHCP configurations.
  • Active Directory Integration Guide: Step-by-step guide on integrating Active Directory with WLAN.
  • VM Configuration Files: Relevant configuration files for all virtualized services.
  • File Server Setup Documentation: Configuration details for SAN-based file shares, permissions, and backup schedules.
  • Testing and Audit Results: Network performance tests, security audits, and failover test results.

Share this project with your friends!

Don’t miss Out!