Hello,
First, I'm so sorry for some stupid questions I may ask. I'm doing my best at my level of knowledge.
I'm working for a year now in a high school, and we plan to change our network infrastructure. From the opening 20 years ago (that was a small high school at that time), it has been a flat network. It is now fragmented into VLANs (into the same network, yes), and thanks to Huawei hybrid vlan, we can say "that vlan can communicate with that vlan, but not with that vlan, even if they both are in the same network". But it's a "all or nothing", of course as it's layer 2 we cannot filter on ports.
This brings us great performances as it's a full layer 2 "network", BUT it's a bad security option, and it's quite horrible to manage.
I would like to transform this in order to have a more standard topology, easier to understand, to manage and with as good performances. Here is what we have in terms of needs:
- 2500 students
- 20 classrooms with around 40 computers per room, those classrooms are in 3 buildings (8 - 8 - 4) within 5000m²
- 50TB iSCSI shared by multiple active directories (SMB, complex NTFS rights) to those 800 computers
- This 50TB SMB share is also shared by SFTP on the internet through another dedicated server
- There is multiple licences servers
- We need a great bandwidth between those 50TB share and computers, big amounts of data are transferred as it's mainly 3D projects,...
- There are also multiple (around 20) web servers/dbs for high school services
- Computers within a classroom can communicate together, but can't communicate with other classrooms
I already checked the most popular options for big networks:
- 3-tier topology: I've got shared feelings because of this:
- Aggregation layer, that is meant to route trafic beneath the aggregation switch L3 wouldn't route anything as there is anything to route between classrooms
- I don't know where I should put servers:
- 50TB Share at core layer for better performances? But It may be better to evitate coming to the core to access a file share? So not the ideal topology for our use case?
- Should the other servers be under a distribution switch?
- Spine-leaves: Seems too complex and not suitable for our use case (also very expensive)
- I guess we can have something easier for such an easy use case: 800 computers must access to one share with great performances, to internet and to multiple licences servers.
We also had a question about DMZ: In our case, the SFTP server that shares to the internet our 50TB iscsi should definitely be in the DMZ. But this SFTP server is linked to a SMB share, which is shared by a DC, which is linked to the iSCSI. Should that DC be in the DMZ? That would make no sense to put a DC inside a DMZ, but then I don't see how to publish on this share on the internet without having such a security issue.
Thank you VERY MUCH in advance for all your recommandations and ideas.
Moupsy.
No comments:
Post a Comment