Creating a secure BMS system for your customers: Part 2, network layout

In reality you have three networks you need to concern yourself with, and they will be repeated many times with iterations between them. Believe me it is worth it to look things over with a network engineer before building a network haphazardly and the numbering scheme I’m using here should be a good start.

  1. The data center internal LAN
  2. The VPN virtual network
  3. Site LAN networks

Point 1; this is the LAN side of your main router in your data center. Ideally for security reasons this should be several different subnets and firewalls preventing cross access. Most of this is out of scope for this article but you should at least have a management VLAN where your main router, network switches and hypervisors are accessible from in addition to the multiple VLANs your BMS virtual machines will sit on. Each customer ideally should be on their own VLAN, because if you then grant them some access to these VMs they would have a nice little isolated environment they are in with no ability to reach other customers. I’m using the traditional 192.168.V.D model here. In 192.168.V.D the “V” is the VLAN number and “D” is a device or VM. Whatever you chose here it’s critical it be inside the RFC1918 private IP address range.

Point 2; The VPN virtual network is responsible for transporting information from site to site and to the hub. For the sake of recognition and manageability I’m going to stick with the 10.8.X.Y scheme. The 10.8 scheme itself is mentioned in a lot of OpenVPN documentation and should be recognizable in the industry.

In 10.8.X.Y the “X” will represent our OpenVPN server number. This gives us a limit of 254 OpenVPN servers we can have in this network. In the off case we ever wanted to allow server LAN access from endpoints having this number scheme being unique for each server will be important. We won’t be doing that in this example but if you should need to switch to this you won’t have to visit each site and update your VPN router configuration. Again, whatever you chose here it’s critical it be inside the private IP address range.

In 10.8.X.Y the “Y” will represent our VPN endpoints. In the configuration I use the server itself will grab 10.8.X.1 and you can start numbering your VPN client connections from there.

Point 3; The plan I’m using for site LAN addresses looks like this: 10.A.B.C. Again whatever you chose here it’s critical it be inside the private IP address range.

“A” here represents the OpenVPN server number, only to differentiate it from the above I started numbering with 101 meaning OpenVPN server 1, 102 meaning OpenVPN server 2 etc.

“B” represents the site number; 101 means building 1, 102 = building 2 etc.

“C” is the client VPN router LAN address. On my networks I use .1 as the gateway, I have a DHCP pool set for 50-80 (if we even chose to enable it) and BMS devices start at 101.