introduction
Three ethernet switches form the heart of the LIC data networks. This is a problem. The design of the LIC requires six switches, not three. This is shown in the firewall diagram.
These few switches pretend to be many switches by creating VLANs.
what it is
I got my lack of switches by buying ethernet switches that understand VLANs. A VLAN (Virtual Local Area Network) on each ethernet switch is a few interfaces that pretend they are one switch. One switch pretends to be two switches. I defined these VLANs.
| LIC table: VLANs | ||
|---|---|---|
| name | switch ports | description |
| int2biz | ces01 1-3 | from the Internet to the biz01 network |
| dmz2biz | ces01 4-6 | from the Internet DMZ to the biz01 network |
| int2biz | ces02 1-3 | from the Internet to the biz02 network |
| dmz2biz | ces02 4-6 | from the Internet DMZ to the biz02 network |
| int2adm | ces03 1-2 | from the Internet DMZ to the adm01 network |
| ent2adm | ces03 3-9 | from the enterprise to the adm01 network |
many switches in one VLAN
Two ethernet switches are in one LAN. The int2biz VLAN spans both ces01 and ces02. This is a way of making sure that the LAN still works if one of the switches goes up in flames. I only did this complicated stuff for business traffic; I didn't bother for the administrative LANs.
This is where the concept of the biz01 and biz02 networks starts to break down. The firewalls ifw01 and ifw02 are connected to both networks. The switches ces01 and ces02 are in the same LAN. It is not clear where one network starts and the other ends.
| LIC topology: ethernet switches |
|---|
what it isn't
The VLAN idea was specified by IEEE 802.1Q. It describes how to separate traffic on a LAN by tagging the Ethernet frames. I don't use tagging in this design.
