First off, my job title is more like "engineer" rather than "network engineer", but I will try and keep this focused on the networking aspect rather than the real purpose and description of my job, which is at a non-profit TV station. The network is more interesting, anyway.
This is an extremely small organization, something like 15 to 20 people including me. First network that I've been given pretty much full reign over, and unfortunately have been working on for an embarrassingly long time, learning as I go and treading carefully so as not to interrupt service. Being given full reign means full responsibility for the screwups. And this network was, and still largely is despite my efforts, very messy. That would be because of my boss, who I will just go ahead and state is not really too involved nor experienced in this field, and seems to have written no documentation beyond what he inherited, and generally just let the entropy grow. And now his memory is really crap and he can't remember what he did in the first place. I go to him to beg for a new toy and for permission to do something, and he leaves me to it. Managed to bring a buddy of mine in to lighten the workload, although I do have to train him on the side, on what I think matters. More responsibility. So I am effectively the most knowledgeable tech. Which... hooray, I guess? It sure is a satisfying learning environment, anyway.
One of my recent changes was running lines from each major switch to a core switch, instead of leaving them daisy-chained like they were. Previously, if the switch that connected the people in the business department to the internet lost its connection, the people in production would also be disconnected from the internet, and so would the switch that our main servers connect to, etc. With this change I have like 0.5% more peace of mind. Will probably do aggregation once I understand it better and probably once I can negotiate for a better category of cable, since I am rather concerned about EMI in the server room. Like I said, non-profit. The core switch is just beneath a Juniper SRX210HE2 which I only recently learned we are not supposed to have any means of access to for our own configuration. It was installed by the ISP I think, just underneath a device for receiving 100Mbit fiber internet, and acts as a firewall and a gateway and a DHCP server. It has just the two gigabit Ethernet ports, one for the fiber internet device, and one for the core switch. Rather annoying.
So, we have a flat network, two major subnets (one which allows you to access the internet, and one which does not), and something like two or three more that are not physically connected to the two major subnets. (That would be my doing, trying to keep legacy equipment talking to its brethren and away from the more modern stuff. Still have maybe two or three XP and 2003 servers to move over, once I learn what the heck they even do, if anything)
One necessary server is broadcasting to 255.255.255.255 via UDP several times a second to ensure that its brethren devices are up and accessible, and since this is a flat network I am able to see it with wireshark when I am on either major subnet, including when I am on wifi. I very much want that to be contained, but I am not sure how.
Speaking of the wifi, my boss previously connected ethernet lines to the LAN ports on our SOHO Netgear devices without disabling the various services on them. A previous major change I made was moving the lines to the WAN ports on the devices and configuring them in WAP mode so we didn't have conflicting DHCP servers, and so people who just HAVE to work on the wifi could actually hit the servers they needed to hit. I currently just RDP from my laptop to a Windows 10 desktop that I cobbled together from parts, and have configured a virtual Realtek adapter so I can access both major subnets, or a USB ethernet device for the segregated switches. For an Arch Linux box that I also cobbled together I just use MACVLAN adapters, which are very easy to whip up if you are okay with using systemd-networkd.
Sooooooo, I've done a lot to ensure that equipment stays on managed switches intended for equipment, and that business stays on managed switches intended for business, production for production, etc. But none of it is really segregated, no VLANs. I'm not sure how to introduce that into the setup, since there will be an overlap of NICs of the first subnet and of the second, and in one case I think a device connects to the internet-connected subnet through a device on the second subnet, and I am not sure how that is happening in the slightest. All I know is that I see two MAC addresses listed in the MAC table for a single port on the equipment switch, when as far as I can tell it is not doing anything like the virtual adapters I have set up on my personal workstations. So I am not sure how I will introduce VLANs (or perhaps learn how to do routing) without accidentally preventing some necessary devices from accessing what they need to access.
Here is a super basic map drawn in Paint, if more detail is desired then let me know. There are no patch panels in this setup, and it is on the list of stuff to introduce.
What I want, basically, is advice on VLANs or perhaps routing, and a sanity check on anything I said that may be a red flag as far as configuration goes. I've said as much as I can think of.
No comments:
Post a Comment