1

Hello everyone,

I’m currently studying Computer Science at university, and we have a network design project where we need to design a network for a school. The scenario involves a school with four buildings located near each other. Each building has its own IDF (Intermediate Distribution Frame, and there are approximately 10 classrooms per building. This is more of a conceptual and creative task, so I’m allowed to make reasonable assumptions (e.g., number of users, devices, etc.). There’s no strict right or wrong answer — the goal is to demonstrate understanding and design thinking.

My current design idea:

  • ISP → Border Router → Firewall → Layer 3 Core Switch → Access Switches** in each building.
  • Each building will have its own IDF connected back to the MDF (Main Distribution Frame) via fiber.

I’m trying to meet the following requirements from the project:

  1. There are two types of users: students and staff. They must be in separate broadcast domains, and there should be a solution that prevents students from accessing teachers’ computers.
  2. All users need access to:
  • A file server
  • A print server
  • Email/mailboxes
  • Internet access
  1. school may also have public-use servers (e.g., web server) that need to be accessible from the internet (public access).

What I’m struggling with:

  1. What type of servers do I need specifically?
  2. Where should these servers be physically and logically placed?
  3. How should the complete topology look?
  4. Where exactly should the firewall be placed? My assumption is right after the Border Router.

I’d really appreciate any help, diagrams, or advice on how to better understand and implement this in a real-world-inspired design.

Thanks in advance!

7 Spice ups
2

Your project sounds expensive! Ground up builds can be long drawn-out projects. Do you currently have on hand any of the hardware?

1 Spice up
4

Thanks for your reply! Just to clarify — this is a university project, so it’s purely theoretical. I don’t need to worry about the actual hardware, cost, or implementation timeline. The focus is just on designing the network architecture and layout based on given requirements. It’s more about understanding the concepts than building it in real life.

1 Spice up
5

I want to leave you some room to figure it all out yourself, so here’s some bread crumbs:

What type of servers do I need specifically?
Most likely several servers virtualized on physical host server(s)

Where should these servers be physically and logically placed?
Probably physically with MDF.
Logically on the network :smiley:
Think of the servers as closer to end-user devices rather than in the network chain

How should the complete topology look?
Think of it as roots of a tree, with your public address(es) starting at the top

Where exactly should the firewall be placed? My assumption is right after the Border Router.
A question that will help you answer this is what’s the difference between a firewall and a router at this size of infrastructure? Are both required? Where would your routers ‘route’ you to?

Some more questions you’d want to answer, may be out of the scope:
Are you using wifi or LAN for staff and student connections?
How much traffic are you expecting? (Is load balancing a worry)
Are data backups important to this project? In reality this is a huge yes
What about battery backups?

Hope this helps

5 Spice ups
6

This is a great mental exercise and sounds like it would be a fun project if it were real. I feel like much of the requirements can be met at the firewall end or even the layer 3 switch for routing policies & vlans. Web server would need to be placed in a DMZ. For this thought experiment the servers could be physical or virtual. If it were me and I needed redundancy in case a site went down I’d place servers at a minimum of 2 sites, but for this case you could absolutely place them at all 4 sites. What constitutes a border router? Generally, your firewall will also handle routing in most networks.

1 Spice up
7

(post deleted by author)

8

Thank you for your response!
I’ve updated my topology according to your suggestions. Now it looks like this:

ISP → Firewall → DMZ (Web Server) → Layer 3 Switch → Internal Servers and Access Switches.

It makes a lot more sense now.

However, I still have one question:
Is there a rule or best practice for where exactly to place internal servers?
For example, can I connect servers directly to the core switch, or even to some access switches if it’s more convenient? I’ve seen both approaches and I’m unsure when one is preferred over the other.

Also, the school has a connection to the ISP with 5 public IP addresses, and I’m not completely sure how or where to use them. My assumption is that the firewall or border router would use NAT to translate from public to private addresses – is that correct? Would I assign public IPs directly to the web server in the DMZ, or are they always handled by NAT on the firewall?

If you know any good resources (videos, books, tutorials) to learn networking topology, server roles, and design practices, I’d be really grateful. I want to understand this properly, not just complete the assignment. Any clarification would be greatly appreciated!

1 Spice up
9

Generally, I’ve seen servers either connected directly to the core switch or their own access switch. For the public IP addresses, one is most likely the going to be for the WAN of your network for configuring site to site VPN access, and one for the web server. I haven’t dealt too much with web servers, but my understanding is that NAT will be handled by the firewall.

3 Spice ups
10

Your design and ideas are in line with standard practice.
here’s some thoughts/comments to assist.

Screenshot 2025-05-13 185502
Screenshot 2025-05-13 185502415×359 18.8 KB

5 ISP IPs will exist between router and firewall. firewall should perform NAT. it can use a unique IP for inbound services such as the webserver.

You can use vlans for logical separation - my picture shows the logical layout of DMZ vs internal network (green core & access) but really you can use vlans.

This means a student vlan and a staff vlan. In reality it probably needs multipls of these maybe per building - but keep it simple and just have one of each unless this is a big design project then specify one of each per building.
If using a layer 3 core switch the this will be the router for each of those vlans and an ACL needed to isolate from the other. DMZ vlan should be layer 2 to firewall. Internal network (staff/users) needs to be routed to firewall.

Is this a network centric project? i.e. they expect firewalling solution to stop students accessing staff computers
Or is it an overall IT infrastructure project which will include access control (logons and permissions) to implement the control on accessing computers etc?
Knowing this leads to different answers - or combining both.

  1. Servers - if you are designing the entire infrastcutre service then it needs to include directory services, file services, print, management and monitoring
  2. physically what would you do? just put them anywhere or a specific place appropriate for them? logically the web server in a dmz, most internal servers on the internal network
2 Spice ups
11

Be sure to design it for scalability. Assume that at some point, this school will want to add things like security cameras, door access controls, phones, paging systems, environmental control, and other campus infrastructure systems that could be IP-based rather than the traditional isolated systems they once were.

Also remember to consider power redundancy and high availability. If a malicious actor enters the school, you don’t want them to cut the power in the mechanical room and have your network – including phones, cameras, access controls, and paging – go down! In a lockdown situation, that stuff becomes critical infrastructure.

1 Spice up
12

Yeah, like @Jonathan-Johnson was saying - consider redunadancy and availability when deciding “where” to put things physically that can technically go anywhere (from a network perspective). In the real world, my first consideration is how I can keep various services running if this part of the building goes down, or that ISP has an outage, or there is a fire in this server room over here, etc…

This often means having duplicates of things in physically distinct areas that are configured to failover to the other, or share traffic. A big problem can be only having one ISP - you really actually want two, whose infrastructure is entering your property in a different location (so a backhoe cutting a line won’t cut both your ISPs lines). Sometimes a wired and a wireless ISP provider can be a good duo if the wireless ISP can provide enough bandwidth to keep things running during the wired’s outage.

1 Spice up
13

Blockquote * ISP → Border Router → Firewall → Layer 3 Core Switch → Access Switches** in each building.

This is pretty close. I would just add distribution layer between core and access. You could do a collapsed core here where you do Core/Dis layer → Access but there is not a generally recommended architecture with only core and access layer. See below

Blockquote 1. What type of servers do I need specifically?

No wrong or right answer, but dell servers are what we run. You could suggest 1 beefy server and use a hypervisor to virtualize and then run your file/print/email server like that. You could also buy one dedicated server for each. Depends on budget, etc. These days most tend to virtualize. You could also go full cloud and run a VPN from local network to cloud! The possibilities are endless.

Blockquote Where should these servers be physically and logically placed?

Physically depends on above. If you go with cloud services, then someone else’s datacenter. Locally, then in your datacenter, server room, closet, wherever.

Blockquote How should the complete topology look?

Look into a 3 tier architecture. You will have a core, distribution, and access layer. Jeremy’s IT lab has some good videos on this in his CCNA course. It might give you a few ideas for design as well, he has visual examples.

Core - Layer 3 only. Super fast for routing traffic - Aggregates distribution layer
Distribution - Aggregates layer 2, boundaries between layer 2 and 3 (OSPF, EIGRP etc)
Access - Layer 2, VLANS, STP, etc are typically here

Blockquote Where exactly should the firewall be placed? My assumption is right after the Border Router

This also depends on architecture. For example, if you have redundant ISP connections you might want to have it directly behind the ISP routers so you do not have to have a firewall in front of each ISP router (usually this would force you to have 4 firewall appliances because you want to have HA in each stack) but putting it behind the edge router would only require you to have 2 for HA.

As far as the requirements go,

  1. There are two types of users: students and staff. They must be in separate broadcast domains, and there should be a solution that prevents students from accessing teachers’ computers.

This is talking about VLAN’s.

  1. All users need access to:
  • A file server
  • A print server
  • Email/mailboxes
  • Internet access

Look at trunking (tagging). Architecture could play in here. ACL’s or maybe firewall rules? You can do security in a bazzilion different ways. I would recommend looking up best practices and looking at a multilayer security approach.

  1. school may also have public-use servers (e.g., web server) that need to be accessible from the internet (public access).

Also look at VLAN’s for keeping traffic separate at layer 2, layer 3 look into subnetting and ACL’s.

EDIT: Spelling mistakes lol. Also welcome to the community!!

2 Spice ups
14

You should be able to find various types of network layouts online. Knowing how to do that is an important skill. There are several different reference campus switching topologies.

For a network layout, we usually just drop an icon on the diagram that represents a server. It doesn’t matter the brand or if it is physical or virtual. You might just say email server, and put it in the correct physical and or logical location.