Networks 101 – Configuring subnets and VLANs for basic network isolation

Over the last week or so I have spent some time configuring some new networking gear for one of eShare’s numerous internal SharePoint farms and I thought I’d share a few of the lessons I’ve learned along the way.

My task seemed pretty straightforward: implement a couple of load balanced firewalls along with 3 isolated network segments. This is quite a common scenario for us as we deal with a lot of security sensitive clients who aren’t big fans of back end servers sharing a subnet with those that are public facing. Indeed, there are few reasons not to implement a segmented network such as this as it provides a form of defence in depth should your perimeter servers be compromised.

However, the exercise made me feel somewhat schoolboy and I wanted to document a few “aha” moments for the other SharePoint admins out there that might need to wear a “networking” hat:

  • If you are fortunate enough to be configuring a green field network, ensure that you give yourself enough private IPs to play with. Don’t fall into the trap of using a default address that might not give you a large enough address range. For example, using 192.168.1.0 / 24 will give you only 254 host addresses. Using 10.1.0.0 /16 gives you 65,534 hosts per subnet! Use a subnet calculator to help.
  • In order to send packets between network segments, a router is required. Unified Threat Management (UTM) gateways are very common as they allow firewall policies (routes) to be defined for controlled access between zones (e.g. you may choose to allow AD authentication traffic between your perimeter and internal networks).
  • VLANs can be used to “partition” a switch into multiple network segments. This can be a viable alternative to using a switch per network segment which may not scale well. Although many switches allow assignment of an IPv4 address, this might be purely to allow management via a Web UI (a switch is primarily a layer 2 device).
  • If you are using a UTM for routing, the default gateway on all hosts should typically be an interface on the firewall.
  • A different network address should be used for each VLAN. e.g. VLAN 101 = 10.1.0.0 /16, VLAN 201 = 10.2.0.0 /16 etc.
  • A lot of modern networking equipment – including both switches and firewalls – won’t save changes as you go along. If you forget to save your changes and turn off the device you may have to start again, so I suggest taking regular backups. You have been warned!

If a lot of the above is news to you, then it might be worth getting some assistance from your vendor to ensure that you implement a secure network in a cost effective manner. This is especially the case if you are providing an externally facing network, as opposed to simply tinkering about with an internal development environment.

That’s all for now folks, I hope this proves useful!