Content found in this wiki may not reflect official Church information. See Terms of Use for more information.

Temple Network Zones

From TechWiki
Jump to navigationJump to search

Each Temple network includes 10 standard zones or subnets.

  1. Four internal subnets with unique IP addresses that are allocated from designated supernets,
  2. Two subnets that have Port Address Translation (PAT) enabled so that they can reach specific internal resources,
  3. Four subnets that are not routed internally (hereafter referred to as "external") and do not have VPN access which use repeated IP address space.

The seven standard internal subnets are:

  1. Management
  2. Workforce
  3. Voice
  4. IoT
  5. Facility
  6. PCI
  7. Server

The three external subnets are:

  1. Guest
  2. Local
  3. Tenant

Further details about each subnet (VLAN ID, Name, IP Address, Subnet size, and some usage info) are given below.

Management Subnet The Management subnet provides access to management interfaces on network hardware. No user devices should be placed on the Management subnet, only network hardware. The management interface is internet facing, local firewall rules prevent access to or from other subnets locally. There is limited VPN access through a NAT VPN so that network devices can communicate ISE servers for user authentication to the network where applicable, this feature is heavily leveraged to facilitate 802.1x authentication for wireless users. A repeated /23 address used for the subnet. The subnet use type for the management subnet is 'Network'.

Workforce Subnet The Workforce subnet should be used for any standard workforce users, unless they are physically connected inside a Temple. This includes all workforce enabled personnel in MTC's, Area Offices, grounds support, Service Centers, etc. ONLY users with workforce accounts should be on the Workforce subnet. The workforce zone uses repeated address space, 192.168.18.0/23, for all networks. Users who need to access servers or any other devices that are hosted in other field sites will need to use the Global Protect VPN client. Sites for which a /23 workforce block is not large enough will need special consideration and may not be a good fit for the Workforce Office 8.0 design. The subnet use type for the workforce subnet is 'Client'.

Voice Subnet The Voice subnet should only be used by devices that are part of the Voice solution for the site. The Voice VLAN should be assigned on all access switch ports. There are some devices, e.g. conferencing systems or integrated door camera/phone devices, that need to be connected to access ports specifically assigned to the Voice VLAN. Most sites will have a /25 address block allocated, while large sites will have a /24. Split tunnel VPN will be enabled on the voice VLAN. Local firewall rules will allow traffic between the voice and workforce subnet, but the Voice subnet is isolated from all other local subnets. The Site-to-Site VPN firewall rules will allow traffic between voice VLANs at other spokes. The subnet use type for voice is 'Voice'.

IoT Subnet The IoT Subnet should be used for devices that pertain to cloud managed systems, that do not need to be accessed directly by users accept for very occasional administrative access (users would need to connect to the IoT VLAN to access devices). Devices in the IoT subnet cannot be managed remotely from within the churhc network. Local firewall rules, applied by the security appliance, block access to the IOT subnet from all other subnets. Local firewall rules also block all access to RFC 1918 space from the IoT subnet. The IoT subnet has no VPN access. The subnet use type for IoT is 'Server'.

Utility Subnet The Utility subnet is used primarily for IoT devices that are part of the building management systems. Many sites include a BMS (building management system) that should also be part of the Utility subnet. Other devices include, but are not limited to, JACE (Java Application Control Engine) units, web based thermostats, and sprinkler controllers. Devices that are not dedicated to building systems should not be added to the Utility subnet. Devices on the Utility subnet differ from the IoT subnet in that they do need to be accessed regularly or remotely for administration. Devices and systems placed on the Utility subnet need to be approved for use Utility subnets. Each site is allocated a /26 subnet for the Utility zone. The Utility subnet has full tunnel VPN enabled.

Guest Subnet The Guest subnet should be used for all unknown, public, or non-specific use cases. It is primarily used for patron housing, missionary housing, and Guest wireless at office sites. Anything does not belong in any other subnet, but needs internet access, should be added to this subnet. This subnet is isolated from the rest of the network by layer three firewall rules. It uses a repeated IP address block and should not be included in the VPN tunnels.

Local Subnet Non-public/Guest users who are not employees (e.g. Missionaries) should be placed on the Local zone. It is a single subnet that should be shared by mission offices, Visitors' Centers, and other non-workforce entities that exist at a site. It should be used to provide segmentation from the Public/Guest zones and should not include patron housing, or guest wireless.

Tenant Subnet In some cases we may need to support other Meraki, or non-Meraki, by acting as an ISP. The most common use cases will be when DSD stores or meetinghouses exist at sites. In order to provided CNM management of the meetinghouse network it is necessary to include a firewall, switch, and APs that are separate from the WFO network. The Tenant subnet should be used to provide internet access to other firewalls or ISR's only. No end user devices, IoT devices, management interfaces, or loop-back interfaces should be placed on the Tenant subnet.

Retrieved from "https://tech.churchofjesuschrist.org/wiki/index.php?title=Temple_Network_Zones&oldid=76333"