Network Architecture
DTC's network architecture is built on firewall-centric design with complete network segmentation. The firewall handles DNS, DHCP, routing, IPS, and traffic visibility. Every device starts isolated and communicates only through explicitly permitted paths.
Core Principles
- Firewall-centric: The firewall is the sole DNS server, sole DHCP server, sole gateway, and sole point of internet egress for every device on the network
- Segmentation by device role: Separate VLANs for infrastructure, networking, production, DMZ, cameras, voice, and guests
- DHCP reservations over static IPs: Only DNS servers, DHCP servers (the firewall), and gateways get static IPs. Everything else uses DHCP reservations.
- Automatic firmware updates: Managed device firmware auto-updates daily outside business hours. Gateway/firewall firmware auto-updates weekly outside business hours. No manual maintenance windows for routine firmware.
- IPS on every VLAN: Intrusion Prevention System enabled on all VLANs, all detection categories, notify and block mode
VLAN & IP Addressing Scheme
All sites use a consistent VLAN numbering and subnet scheme. The third octet of each subnet mirrors the VLAN ID, so knowing one tells you the other. The location number maps to the second octet (location 1 = 10.1.x.x, location 2 = 10.2.x.x, etc.). Gateways are always the .1 of each subnet.
| VLAN | VLAN ID | Subnet (within location /16) | Example (location 1 = 10.1.0.0/16) |
|---|---|---|---|
| NETWORK | 1 | x.x.0.0/24 | 10.1.0.0/24 |
| INFRA | 10 | x.x.10.0/24 | 10.1.10.0/24 |
| CORP | 20 | x.x.20.0/24 | 10.1.20.0/24 |
| BLDG2-CORP | 21 | x.x.21.0/24 | 10.1.21.0/24 |
| BLDG3-CORP | 22 | x.x.22.0/24 | 10.1.22.0/24 |
| DMZ-PUBLIC | 30 | x.x.30.0/24 | 10.1.30.0/24 |
| DMZ-INTERNAL | 31 | x.x.31.0/24 | 10.1.31.0/24 |
| CAMERAS | 40 | x.x.40.0/24 | 10.1.40.0/24 |
| VOIP | 50 | x.x.50.0/24 | 10.1.50.0/24 |
| GUEST | 99 | 192.168.240.0/20 | 192.168.240.0/20 |
Rules:
- VLAN IDs are fixed and consistent across all sites — do not deviate.
- The third octet mirrors the VLAN ID for all 10.x.x.x VLANs (e.g., VLAN 40 = x.x.40.0/24). GUEST is the intentional exception.
- Location number = second octet. Location 1 is 10.1.0.0/16, location 2 is 10.2.0.0/16, and so on.
- Gateway is always .1 of each subnet (e.g., 10.1.20.1 for CORP at location 1).
- GUEST is fixed at 192.168.240.0/20 across all sites. It is fully isolated and has no internal routing, so a consistent fixed range is safe and simplifies configuration.
- Multi-building CORP VLANs increment from 20 (21, 22...). Single-building sites use VLAN 20 / CORP only.
VLAN Architecture
Site-Wide VLANs
These VLANs are shared across the entire site regardless of building count.
| VLAN | Purpose | Devices | Zone |
|---|---|---|---|
| INFRA | Storage and compute infrastructure | Hypervisors, NAS, BDR/backup appliances, container hosts, SAN | Internal, Isolated |
| NETWORK | Network infrastructure management | Switches, routers, firewalls (management), APs | Internal, Isolated |
| DMZ-PUBLIC | Internet-facing services | Reverse proxies, web servers, services accessible from outside | Internal, Not Isolated |
| DMZ-INTERNAL | Internal-only segmented services | Internal apps that need segmentation from CORP but aren't internet-facing | Internal, Not Isolated |
| CAMERAS | Surveillance infrastructure | NVRs, IP cameras, video management systems | Internal, Isolated |
| VOIP | Voice infrastructure | VoIP phones, call servers, SBCs | Internal, Isolated |
| GUEST | Untrusted access | Visitor WiFi, untrusted devices | Hotspot, Isolated |
Per-Building VLANs
CORP VLANs are created per building/location to segment production endpoints by physical area.
| VLAN | Purpose | Devices |
|---|---|---|
| BLDG1-CORP | Building 1 production endpoints | Workstations, printers, internal servers, DCs |
| BLDG2-CORP | Building 2 production endpoints | Workstations, printers, internal servers |
| ANNEX-CORP | Annex production endpoints | Workstations, printers, internal servers |
The naming pattern is {building}-CORP. Single-building sites just use CORP. Multi-building sites get one CORP VLAN per building.
Key Placement Rules
- INFRA: Hypervisor hosts go here at the physical port level. VMs get VLAN-tagged at the VM level to whatever VLAN they belong on (CORP for DCs/file servers, INFRA for storage VMs, etc.)
- NETWORK: Applied to the device itself, not the switch port
- CORP (per-building): Domain controllers and servers that need direct endpoint access live here (AD uses too many dynamic ports for cross-VLAN pinholing). Each building's endpoints are isolated from other buildings at L2.
- CAMERAS: NVRs and cameras isolated from production traffic. Firewall rules allow NVR access from CORP as needed for viewing.
- VOIP: Phones isolated from production traffic. QoS can be applied per-VLAN for voice prioritization.
- GUEST: L3 isolation + device isolation. No access to internal resources. Zone must be Hotspot.
- DMZ-PUBLIC/DMZ-INTERNAL: Open by default. L3 network isolation using SPI firewall rules controls what is NOT permitted. Each DMZ VLAN has specific deny rules for traffic that shouldn't reach it.
IP Address Class Selection
IP class is chosen based on business size and location requirements. Each location gets a contiguous block, subdivided into per-VLAN subnets.
| Range | Use Case | Per-Location Allocation | Subnet Range |
|---|---|---|---|
| 172.16.0.0/12 | Docker containers and virtual machines | /20 per location | /20 to /24 per VLAN |
| 10.0.0.0/8 | Small and large business / locations | /16 per location | /20 to /24 per VLAN |
Rules:
- These IP addressing standards apply to new deployments and new locations only. Do not re-scheme existing client networks unless required by a specific change (e.g., integrating Active Directory across locations, site-to-site VPN conflicts) or the client explicitly requests it. The disruption of re-addressing an existing production network is almost never worth it.
- Default is 10.0.0.0/8. All DTC clients — small and large — use this range. Start here for all new deployments.
- Each location gets a /16 allocation within the 10.0.0.0/8 space. Assign sequential /24s within the block for each VLAN (e.g., 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24...). Next location starts at the next /16 boundary (e.g., 10.1.0.0/16, 10.2.0.0/16...).
- 172.16.0.0/12 is reserved for Docker/container hosts and virtual machine overlay networks... never for physical endpoints.
- VLAN IDs just need to be unique. Specific numbers don't matter.
- Within a location's allocation, assign sequential subnets per VLAN.
Firewall and Security
Intrusion Prevention (IPS):
- Enabled on ALL VLANs... no exceptions
- All detection categories enabled (botnets, malware, exploits, P2P/dark web, attacks, protocol vulnerabilities)
- Detection mode: Notify and Block
DNS Security:
- Upstream DNS: Cloudflare (1.1.1.1) or DNSFilter depending on the client
- Do NOT use Google (8.8.8.8), Quad9 (9.9.9.9), ISP DNS, or any other upstream provider. Cloudflare or DNSFilter only.
- Gateway DNS logging enabled for visibility
Traffic Logging:
- NetFlow (IPFIX): Off unless a NetFlow collector/endpoint is configured to receive the data. Don't enable logging with nowhere to send it.
- Flow logging: All Traffic (required for visibility and troubleshooting)
- Gateway DNS logging enabled
- Activity logging: Forwarded to SIEM (e.g., Blumira provided by DTC) if the client has one, otherwise stored internally on the firewall
Guest Isolation:
- GUEST VLAN zone: Hotspot (not Internal)
- L3 Network Isolation: GUEST isolated from all networks
- Device Isolation: Enabled on GUEST
- No access to internal resources
Inter-VLAN Access:
- Default posture: Allow All (firewall rules restrict as needed)
- BDR/NAS on INFRA need an internal-to-internal allow rule for backup traffic from CORP
- Production VMs on hypervisors (INFRA port) get VLAN tagged at the VM level to CORP
- CAMERAS VLAN: Allow NVR viewing access from CORP via firewall rule
- VOIP VLAN: Allow call control traffic as needed
Switch Standards
- Spanning Tree Protocol: RSTP
- Rogue DHCP Server Detection: Enabled
- Jumbo Frames: Disabled
- 802.1X: Disabled (unless specific client requirement)
Port assignments:
| Port Type | Connection | Native VLAN | Allowed VLANs |
|---|---|---|---|
| Access | Workstation | CORP | Block all others |
| Access | Printer | CORP | Block all others |
| Access | Phone | VOIP | Block all others |
| Access | IP Camera | CAMERAS | Block all others |
| Access | NVR | CAMERAS | Block all others |
| Trunk | Hypervisor | INFRA | Allow all |
| Trunk | NAS/BDR | INFRA | Allow all |
| Trunk | Switch to Switch | None | Allow all |
| Trunk | Switch to AP | None | Allow all |
Access Ports: Native VLAN set to the device's assigned VLAN. Block all other VLANs.
Trunk Ports: Allow all VLANs. Switch-to-switch and switch-to-AP trunks have no native VLAN... the management interface on each device uses its assigned VLAN (NETWORK) or VLAN 1. Hypervisor and NAS/BDR trunks use INFRA as the native VLAN because that's the host's management VLAN.
Wireless Standards
- All APs must be hardwired... no wireless meshing
- Band steering disabled (causes issues with Apple devices)
- All bands enabled: 2.4 GHz, 5 GHz, 6 GHz (if available)
- Extended 5 GHz Spectrum (DFS) enabled
- Channel AI enabled for automatic optimization
Channel Widths:
| Band | Uncrowded | Crowded/Noisy |
|---|---|---|
| 2.4 GHz | 40 MHz | 20 MHz |
| 5 GHz | 160 MHz | 80 MHz |
| 6 GHz | 320 MHz | 160 MHz |
When in doubt, use crowded settings. Most client sites are in shared office buildings.
Guest WiFi: All standard WiFi settings plus multicast/broadcast blocker, multicast-to-unicast, client device isolation, BSS transition. Security: WPA2, PMF disabled.
WAN and Internet
- WAN mode: Failover Only (not load balancing)
- Automatic speed tests: Daily outside business hours
- Flow Control: Disabled (enable only if bandwidth constrained and ISP speeds test well)
- Encrypted DNS: Off (we control DNS at the firewall level)
- Region blocking: Disabled
Firmware and Software Updates
All managed network equipment should be configured for automatic firmware updates outside of business hours. This ensures security patches are applied promptly without requiring manual maintenance windows.
Principles:
- Managed devices (switches, APs, etc.): Auto-update firmware daily outside business hours
- Gateways/firewalls: Auto-update firmware weekly outside business hours (less frequent due to higher impact of reboots)
- All update schedules must be outside client production hours and staggered so they do not fire at the same time
- Vendor-specific schedules and settings are documented in the vendor's book (e.g., Ubiquiti book for UniFi devices)
Physical Infrastructure
- Managed switches required... no unmanaged switches in production
- All APs hardwired with structured cabling
- Cable management and labeling standards per site
- UPS protection for network equipment where possible
Related
- Device Naming Convention... Standardized naming for all device types
- DHCP & DNS... DNS/DHCP architecture, naming conventions, static entries, DHCP options
- Applying Network Best Practices (Ubiquiti)... Vendor-specific implementation of these standards
- Server Networking Standards... Hyper-V host networking, SET teaming, DC VLAN placement
- Internal DNS Zone Management... AD DNS zone configuration on domain controllers
- Firewall Rules & Port Requirements Master Reference... Port and protocol reference