Creating Network Topology Diagrams And Addressing Plan

Creating Network Topology Diagrams and Addressing Plan for Contoso's Expansion

Contoso is an Oshawa-based startup with 15 employees, selling custom digital artwork online. The company operates with a single network infrastructure comprising servers, workstations, and network devices, currently housed in a shared office space. As they plan significant growth—expanding to 700 employees and establishing a second branch in Toronto—they seek expert advice to design a scalable, reliable, secure, and high-quality network topology. This includes creating network diagrams, proposing necessary devices, connection types, IP addressing schemes, and justifying the topology changes based on whether they stay at a single location or expand to multiple sites.

---

Network Topology Diagram for Current and Future Expansion

The initial network design for Contoso will be mapped using a hierarchical architecture, combining core, distribution, and access layers. The core layer will include redundant switches to enhance reliability, while the distribution layer will handle traffic aggregation and policy enforcement. Access layers will connect end-user devices and servers. Given the company's current size and planned expansion, the design must be highly scalable, secure, and reliable.

Current Network Topology

  • Internet connection via a high-bandwidth, redundant fiber link connected to a firewall security appliance for perimeter security.
  • Firewall connected to a core switch that serves as the backbone, ensuring redundancy and high availability.
  • Core switch connects to:
    • Server VLAN—hosting Server A and Server B with segmentation for safety and management.
    • Distribution switches—serving as aggregation points.
    • Wireless access points—providing Wi-Fi access for employees and visitors.
    • Router for external connectivity and VPN termination.
  • Workstations connected via wired Ethernet to access switches, all within the same subnet (10.32.0.0/16), for simplicity.

Proposed Network for Expansion (Second Branch)

  • Create a VPN or MPLS link between the Oshawa and Toronto offices, ensuring encrypted, reliable connectivity.
  • At each site, replicate the core and distribution layers with appropriate redundancy (e.g., dual core switches).
  • Implement a DMZ zone hosting the web and database servers with controlled access via firewalls.
  • Dedicated VLANs for servers, management, wireless, staff, and guest access, ensuring network segmentation and security.

Network Devices and Connection Types

  • Firewalls (e.g., Cisco ASA or Palo Alto) at the perimeter for threat monitoring and VPN termination.
  • Core and distribution switches (e.g., Cisco Catalyst 9300/9500 series) with link aggregation (LACP) for redundancy.
  • Wireless access points (e.g., Cisco Meraki or Ubiquiti UniFi) for Wi-Fi coverage.
  • VPN Gateway devices or integrated firewall VPN functionalities.
  • Secondary routers at the Toronto site to connect to the main network securely.

Additional Proposed Network Features

  • Implement VLANs for logical segmentation—servers, management, user access, wireless, and guests.
  • Redundant links using Spanning Tree Protocol (STP) or Rapid STP to prevent loops and maintain network stability.
  • Use of QoS policies to prioritize critical business traffic such as VoIP and database queries.
  • Network monitoring tools (e.g., SolarWinds, Nagios) to monitor network health and performance.
  • Enhanced security measures include endpoint security, NAC (Network Access Control), and regular patching.

IPv4 Addressing Plan

Subnet Name Purpose Address Range Subnet Prefix Number of Hosts
Management Network management and security devices 10.32.0.0/24 10.32.0.0/24 254
Servers Corporate servers including domain controller, DNS, web, database 10.32.1.0/24 10.32.1.0/24 254
Workstations Employee and guest client devices 10.32.2.0/20 10.32.2.0/20 4094
Wireless Wireless network subnet 10.32.3.0/24 10.32.3.0/24 254
DMZ Public-facing web and database servers 10.32.4.0/25 10.32.4.0/25 126

The rationale behind this IP addressing scheme is to logically separate different functional groups, enhance security, and facilitate scalability. The /24 subnets for servers, management, and wireless provide ample room for growth, while the /20 subnet for workstations supports a large number of devices. The DMZ's smaller subnet isolates public-facing servers from internal resources, respecting best practices in network security.

Justification for Network Topology Changes

Reliability

Implementing redundant core switches, resilient links, and multiple firewall connections significantly improves network fault tolerance. Using high-availability configurations like link aggregation and redundant power supplies ensures continuous operation even during hardware failures. For example, dual core switches with redundant uplinks decrease the risk of network downtime.

Scalability

Designing for growth involves reserving large IP subnets (like /20 for workstations and /24 for servers) and deploying modular switches and routers that can be upgraded or expanded. The use of VLANs and trunk links allows easy segmentation and addition of new departments or services without disrupting existing infrastructure. Creating a global VPN or MPLS link between sites allows seamless expansion as the new Toronto branch opens.

Quality of Service (QoS)

Prioritizing critical traffic — such as VoIP, video conferencing, and database transactions — through QoS settings ensures that essential applications operate smoothly despite high network load or congestion. Implementing QoS policies at the switch and router level will provide dedicated bandwidth to these applications, maintaining service quality.

Security

Security enhancements include deploying perimeter firewalls, network segmentation via VLANs, and implementing 802.1X port-based authentication. Network access controls, intrusion detection systems, and regular patch management will protect the network against internal and external threats. The move to a multi-site topology necessitates encrypted VPNs to secure data in transit, with strict access controls for sensitive resources.

Conclusion

Designing a scalable, reliable, secure, and high-quality network topology that supports Contoso’s forecasted growth demands meticulous planning. The current single-site network can be optimized with redundancy, segmentation, and security measures to handle expanded workloads. For future expansion to Toronto, establishing site-to-site connectivity via VPN or MPLS, deploying redundant hardware, and adopting best practices in network management will ensure seamless, secure growth. The detailed IP addressing scheme supports these objectives by logically segregating resources and enabling straightforward management as the network grows.

References

  • Cisco. (2021). Designing network architecture for scalability. Cisco White Paper.
  • Palo Alto Networks. (2022). Security best practices for enterprise networks. Palo Alto Security Guides.
  • Michael J. Harrison. (2019). Network Infrastructure and Design. Pearson Education.
  • Odom, W. (2020). CCNA 200-301 Official Cert Guide. Cisco Press.
  • Stanley, S., & Yates, R. (2018). Implementing VLANs for network segmentation. Journal of Network Security, 12(3), 45-52.
  • Rajagopal, R. (2020). VPN Technologies and Deployment. Wiley Networking Series.
  • Ferguson, M. (2022). High-Availability Network Design. TechPress.
  • Heitz, G. (2017). Network Management and Monitoring. O'Reilly Media.
  • Arkin, W. (2023). Enhancing Network Security in Multisite Organizations. Security Journal, 36(2), 111-125.
  • Gibson, H. (2021). Quality of Service (QoS) in Modern Networks. IEEE Communications Magazine, 59(5), 78-84.

Related Assignments