np-dms/lcbp3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

690427:0812 Update Infras #01
CI / CD Pipeline / build (push) Successful in 5m51s
Details
CI / CD Pipeline / deploy (push) Successful in 2m9s
Details

Browse Source
This commit is contained in:
admin
2026-04-27 08:12:28 +07:00
parent 9384581aee
commit a57fef4d44
68 changed files with 9750 additions and 468 deletions
Download Patch File Download Diff File Expand all files Collapse all files
specs/02-architecture/02-03-network-design.md
+273 -22
View File
@@ -3,10 +3,10 @@
---
title: 'Network Design & Security'
version: 1.8.0
version: 1.8.2
status: first-draft
owner: Nattanin Peancharoen
last_updated: 2026-02-23
last_updated: 2026-04-23
related:
- specs/02-Architecture/00-01-system-context.md
@@ -16,11 +16,11 @@ related:
## 1. 🌐 Network Segmentation (VLANs) และหลักการ Zero Trust
ระบบ LCBP3-DMS จัดแบ่งเครือข่ายออกเป็นเครือข่ายย่อย (VLANs) เพื่อการควบคุมการเข้าถึง (Access Control) ตามหลักการ Zero Trust โดยใช้อุปกรณ์ Network ของ Omada (ER7206 Router & SG2428P Core Switch) และ Switch ต่างๆ ในเครือข่าย
ระบบ LCBP3-DMS จัดแบ่งเครือข่ายออกเป็นเครือข่ายย่อย (VLANs) เพื่อการควบคุมการเข้าถึง (Access Control) ตามหลักการ Zero Trust โดยใช้อุปกรณ์ Network ของ Omada (ER7206 Router & SG3210X-M2 Core Switch) และ Switch ต่างๆ ในเครือข่าย
| VLAN ID | Name | Purpose | Subnet | Gateway | Notes |
| ------- | -------------- | ----------------------- | --------------- | ------------ | ---------------------------------------------------- |
| 10 | SERVER | Server & Storage | 192.168.10.0/24 | 192.168.10.1 | Servers (QNAP, ASUSTOR). Static IPs ONLY. |
| 10 | SERVER | Server & Storage | 192.168.10.0/24 | 192.168.10.1 | Servers (QNAP, ASUSTOR, Zyxel NAS326). Static IPs ONLY. |
| 20 | MGMT (Default) | Management & Admin | 192.168.20.0/24 | 192.168.20.1 | Network devices (ER7206, OC200, Switches), Admin PC. |
| 30 | USER | User Devices | 192.168.30.0/24 | 192.168.30.1 | Staff PC, Notebooks, Wi-Fi. |
| 40 | CCTV | Surveillance | 192.168.40.0/24 | 192.168.40.1 | Cameras, NVR. Isolated. |
@@ -81,36 +81,42 @@ flowchart TB
```mermaid
graph TB
subgraph Internet
WAN[("🌐 Internet<br/>WAN")]
WAN[("Internet<br/>WAN")]
end
subgraph Router["ER7206 Router"]
R[("🔲 ER7206<br/>192.168.20.1")]
R[("ER7206<br/>192.168.20.1")]
end
subgraph CoreSwitch["SG2428P Core Switch"]
CS[("🔲 SG2428P<br/>192.168.20.2")]
subgraph CoreSwitch["SG3210X-M2 Core Switch"]
CS[("SG3210X-M2<br/>192.168.20.4")]
end
subgraph ServerSwitch["AMPCOM 2.5G Switch"]
SS[("🔲 AMPCOM<br/>192.168.20.3")]
subgraph DistSwitch["SG2428P Distribution Switch"]
DS[("SG2428P<br/>192.168.20.2")]
end
subgraph Servers["VLAN 10 - Servers"]
QNAP[("💾 QNAP<br/>192.168.10.8")]
ASUSTOR[("💾 ASUSTOR<br/>192.168.10.9")]
QNAP[(" QNAP<br/>192.168.10.8")]
ASUSTOR[(" ASUSTOR<br/>192.168.10.9")]
Zyxel[(" Zyxel NAS326<br/>192.168.10.111")]
end
subgraph AccessPoints["EAP610 x16"]
AP[("📶 WiFi APs")]
AP[(" WiFi APs")]
end
WAN --> R
R -->|Port 3| CS
CS -->|LAG Port 3-4| SS
SS -->|Port 3-4 LACP| QNAP
SS -->|Port 5-6 LACP| ASUSTOR
CS -->|Port 5-20| AP
subgraph AdminPC["Admin Desktop"]
PC[(" Admin PC<br/>192.168.20.100")]
end
WAN -->|Port 2| R
R -->|SFP Port 1| CS
CS -->|SFP+ Port 9| DS
CS -->|Port 3-4 LACP| QNAP
CS -->|Port 5-6 LACP| ASUSTOR
CS -->|Port 8| PC
DS -->|Port 1-16| AP
```
### 3.1 Switch Profiles & Interfaces
@@ -123,13 +129,258 @@ graph TB
- **06_AP_TRUNK:** EAP610 Access Points (Native: 20, Tagged: 30, 70)
- **07_VOICE_ACCESS:** IP Phones (Native: 30, Tagged: 50, Untagged: 30)
### 3.2 NAS NIC Bonding Configuration
### 3.2 Detailed Port Configuration
#### 3.2.1 TP-Link ER7206 (Router)
- **1× Gigabit SFP WAN/LAN port + 5× Gigabit RJ45 ports (1× WAN, 4× WAN/LAN)**
- SFP Port 1 WAN/LAN -> SG3210X-M2 Port 10 SFP+
- Port 2 WAN port uplink Internet
#### 3.2.2 TP-Link SG3210X-M2 (Core Switch)
- **8-Port 2.5Gbps + 2-Port 10G SFP+ Slots**
- Port 1&2 (Active LACP) -> Reserved
- Port 3&4 (Active LACP) -> QNAP 192.168.10.8
- Port 5&6 (Active LACP) -> ASUSTOR 192.168.10.9
- Port 7 Reserved
- Port 8 -> Admin Desktop (192.168.20.100)
- SFP+ Port 9 -> SG2428P (192.168.20.2) Port 28
- SFP+ Port 10 uplink ER7206 (192.168.20.1) Port 1
#### 3.2.3 TP-Link SG2428P (Distribution Switch)
- **24× 10/100/1000 Mbps RJ45 Ports + 4× Gigabit SFP Slots**
- Port 1-16 -> EAP610 (16 Access Points)
- Port 17 Reserved for TP-07 (LAN port)
- Port 18 TP-08 (LAN port)
- Port 19 -> TL-SG1210P Port 9 (Voice Switch)
- Port 20 Reserved
- Port 21 TP-11 (LAN port)
- Port 22 Reserved
- Port 23 -> Printer
- Port 24 uplink OC200
- SFP Port 25 Reserved
- SFP Port 26 -> TL-SL1226P SFP
- SFP Port 27 Reserved
- SFP Port 28 uplink SG3210X-M2 SFP+
#### 3.2.4 TP-Link TL-SL1226P (CCTV Switch)
- **24× PoE+ 10/100 Mbps RJ45 ports, 2× Gigabit RJ45 ports, and 2× combo Gigabit SFP**
- Port 1-6 -> CCTV (6 cameras)
- 1000 Mbps Port 25 -> NVR
- SFP Port 26 uplink SG2428P Port 26
#### 3.2.5 TP-Link TL-SG1210P (Voice Switch)
- **9 Port 10/100/1000Mbps RJ45 ports, 1 Gigabit SFP port**
- Port 1-8 -> IP Phone (TP-01 to TP-06, TP-09, TP-10)
- Port 9 uplink SG2428P Port 19
- SFP Port 10 Reserved
### 3.3 VLAN Assignment Table
#### 3.3.1 SG3210X-M2 (Core Switch)
| Port | Connection | VLAN Mode | Native VLAN | Tagged VLANs | Profile |
|------|------------|-----------|-------------|--------------|---------|
| 1-2 | Reserved (LACP) | Trunk | 20 | 10,20,30,40,50,60,70 | 01_CORE_TRUNK |
| 3-4 | QNAP (LACP) | Access | 10 | - | 03_SERVER_ACCESS |
| 5-6 | ASUSTOR (LACP) | Access | 10 | - | 03_SERVER_ACCESS |
| 7 | Reserved | - | - | - | - |
| 8 | Admin Desktop | Access | 20 | - | 02_MGMT_ONLY |
| 9 (SFP+) | SG2428P | Trunk | 20 | 10,20,30,40,50,70 | 01_CORE_TRUNK |
| 10 (SFP+) | ER7206 | Trunk | 20 | 10,20,30,40,50,70 | 01_CORE_TRUNK |
#### 3.3.2 SG2428P (Distribution Switch)
| Port | Connection | VLAN Mode | Native VLAN | Tagged VLANs | Profile |
|------|------------|-----------|-------------|--------------|---------|
| 1-16 | EAP610 APs | Trunk | 20 | 30,70 | 06_AP_TRUNK |
| 17 | TP-07 (LAN) | Access | 30 | - | 05_USER_ACCESS |
| 18 | TP-08 (LAN) | Access | 30 | - | 05_USER_ACCESS |
| 19 | TL-SG1210P | Trunk | 30 | 50 | 07_VOICE_ACCESS |
| 20 | Reserved | - | - | - | - |
| 21 | TP-11 (LAN) | Access | 30 | - | 05_USER_ACCESS |
| 22 | Reserved | - | - | - | - |
| 23 | Printer | Access | 30 | - | 05_USER_ACCESS |
| 24 | OC200 | Access | 20 | - | 02_MGMT_ONLY |
| 25 (SFP) | Reserved | - | - | - | - |
| 26 (SFP) | TL-SL1226P | Trunk | 20 | 40 | 04_CCTV_ACCESS |
| 27 (SFP) | Reserved | - | - | - | - |
| 28 (SFP) | SG3210X-M2 | Trunk | 20 | 10,20,30,40,50,70 | 01_CORE_TRUNK |
#### 3.3.3 TL-SL1226P (CCTV Switch)
| Port | Connection | VLAN Mode | Native VLAN | Tagged VLANs | Profile |
|------|------------|-----------|-------------|--------------|---------|
| 1-6 | CCTV Cameras | Access | 40 | - | 04_CCTV_ACCESS |
| 7-24 | Reserved | - | - | - | - |
| 25 | NVR | Access | 40 | - | 04_CCTV_ACCESS |
| 26 | SG2428P | Trunk | 20 | 40 | 04_CCTV_ACCESS |
#### 3.3.4 TL-SG1210P (Voice Switch)
| Port | Connection | VLAN Mode | Native VLAN | Tagged VLANs | Profile |
|------|------------|-----------|-------------|--------------|---------|
| 1-8 | IP Phone + PC Passthrough | Trunk | 30 (Data) | 50 (Voice) | 07_VOICE_ACCESS |
| 9 | SG2428P | Trunk | 30 | 50 | 07_VOICE_ACCESS |
| 10 (SFP) | Reserved | - | - | - | - |
**Note:** IP Phone ports support PC passthrough - Native VLAN 30 for PC data, Tagged VLAN 50 for VoIP traffic.
### 3.4 NAS NIC Bonding Configuration
| Device | Bonding Mode | Member Ports | VLAN Mode | Tagged VLAN | IP Address | Gateway | Notes |
| ------- | ------------------- | ------------ | --------- | ----------- | --------------- | ------------ | ---------------------- |
| QNAP | IEEE 802.3ad (LACP) | Adapter 1, 2 | Untagged | 10 (SERVER) | 192.168.10.8/24 | 192.168.10.1 | Primary NAS for DMS |
| ASUSTOR | IEEE 802.3ad (LACP) | Port 1, 2 | Untagged | 10 (SERVER) | 192.168.10.9/24 | 192.168.10.1 | Backup / Secondary NAS |
### 3.5 PoE Budget & Power Consumption
#### 3.5.1 SG2428P (Distribution Switch)
| Specification | Value |
|---------------|-------|
| Total PoE Budget | 370W |
| PoE Standard | IEEE 802.3at (PoE+) |
| PoE Ports | 1-16 (RJ45), 25-26 (SFP) |
**Power Consumption Estimate:**
| Device | Quantity | Power per Device | Total Power | Port Assignment |
|--------|----------|-----------------|-------------|----------------|
| EAP610 Access Point | 16 | ~12.95W | ~207W | Port 1-16 |
| TL-SL1226P Uplink | 1 | ~15W | ~15W | Port 26 (SFP) |
| **Total Used** | - | - | **~222W** | - |
| **Available** | - | - | **148W** | - |
| **Utilization** | - | - | **60%** | - |
#### 3.5.2 TL-SL1226P (CCTV Switch)
| Specification | Value |
|---------------|-------|
| Total PoE Budget | 195W |
| PoE Standard | IEEE 802.3at (PoE+) |
| PoE Ports | 1-24 (RJ45) |
**Power Consumption Estimate:**
| Device | Quantity | Power per Device | Total Power | Port Assignment |
|--------|----------|-----------------|-------------|----------------|
| CCTV Camera | 6 | ~8W | ~48W | Port 1-6 |
| NVR (Non-PoE) | 1 | 0W | 0W | Port 25 (1000Mbps) |
| **Total Used** | - | - | **48W** | - |
| **Available** | - | - | **147W** | - |
| **Utilization** | - | - | **25%** | - |
> [!NOTE]
> PoE budget has sufficient headroom for future expansion. SG2428P can support additional ~12 APs, TL-SL1226P can support additional ~12 cameras.
### 3.6 Cable Specifications
| Link Type | Cable Category | Max Distance | Application |
|-----------|----------------|--------------|-------------|
| 10Gbps Uplinks (SFP+) | Cat6a / Cat7 | 100m | SG3210X-M2 ↔ SG2428P, ER7206 ↔ SG3210X-M2 |
| 2.5Gbps Server Links | Cat6 | 100m | SG3210X-M2 ↔ QNAP/ASUSTOR (LACP) |
| 1Gbps Standard Links | Cat5e / Cat6 | 100m | All other RJ45 connections |
| IP Phone Passthrough | Cat5e / Cat6 | 100m | IP Phone + PC connections |
**Cable Color Coding:**
- **Blue:** Uplink/Trunk links (SFP+, LACP)
- **Green:** Server connections (VLAN 10)
- **Yellow:** Management connections (VLAN 20)
- **Red:** CCTV/Voice connections (VLAN 40, 50)
- **Orange:** User connections (VLAN 30)
### 3.7 QoS (Quality of Service) Settings
#### 3.7.1 Priority Levels (DSCP)
| Priority | DSCP Value | Traffic Type | Application |
|----------|------------|--------------|-------------|
| Highest (7) | EF (46) | Voice (SIP/RTP) | IP Phones (VLAN 50) |
| High (6) | AF41 (34) | Video Surveillance | CCTV Cameras (VLAN 40) |
| Medium (5) | AF31 (26) | Critical Applications | DMS Backend, Database |
| Low (4) | AF21 (18) | Best Effort | Web browsing, Email |
| Lowest (0) | CS0 (0) | Background | File downloads, Updates |
#### 3.7.2 QoS Configuration per Switch
**SG3210X-M2 (Core Switch):**
- Enable QoS globally
- Trust DSCP on all trunk ports
- Prioritize Voice (VLAN 50) and Video (VLAN 40) traffic
- Rate limit Guest VLAN (70) to 10Mbps per client
**SG2428P (Distribution Switch):**
- Enable QoS globally
- Trust DSCP on uplink ports (SFP+ 28, RJ45 19)
- Map VLAN 50 to Queue 7 (Highest)
- Map VLAN 40 to Queue 6 (High)
- Map VLAN 10 to Queue 5 (Medium)
**TL-SL1226P (CCTV Switch):**
- Enable QoS globally
- Map all CCTV ports to Queue 6 (High)
- Ensure NVR traffic has priority
**TL-SG1210P (Voice Switch):**
- Enable QoS globally
- Map VLAN 50 to Queue 7 (Highest)
- Map VLAN 30 to Queue 4 (Low - for PC data)
- Enable LLDP-MED for IP Phone power negotiation
### 3.8 Redundancy Planning & Network Resilience
#### 3.8.1 Critical Links Redundancy
| Critical Path | Primary Link | Backup Link | Failover Time | Implementation Status |
|---------------|--------------|-------------|---------------|-----------------------|
| Internet Access | ER7206 WAN Port 2 | 4G/LTE Backup | < 30s | Planned (Q3 2026) |
| Core Switch Connectivity | SG3210X-M2 SFP+ Port 9-10 | SG3210X-M2 Port 1-2 (LACP) | < 1s | Ready (Ports Reserved) |
| Server Connectivity | QNAP LACP (Ports 3-4) | ASUSTOR LACP (Ports 5-6) | < 1s | Active |
| Distribution Layer | SG2428P SFP+ Port 28 | SG2428P Port 20 | < 5s | Planned |
| Controller Management | OC200 Port 24 | OC200 Wireless Fallback | < 10s | Active |
#### 3.8.2 Single Points of Failure (SPOF) Analysis
| Component | Risk Level | Mitigation Strategy | Target Resolution |
|-----------|------------|---------------------|-------------------|
| ER7206 Router | HIGH | Add secondary router (VRRP) | Q3 2026 |
| SG3210X-M2 Core Switch | MEDIUM | Utilize reserved LACP ports 1-2 | Immediate |
| QNAP Primary Storage | MEDIUM | ASUSTOR backup with real-time sync | Active |
| Internet Connection | HIGH | 4G/LTE failover router | Q3 2026 |
| Power Supply | MEDIUM | UPS + Generator maintenance | Ongoing |
#### 3.8.3 Network Monitoring & Alerting
| Monitor Item | Threshold | Alert Method | Escalation |
|--------------|-----------|--------------|------------|
| Link Utilization > 80% | 5 min | Email + Teams | Network Admin |
| Link Down | Immediate | SMS + Email | Network Admin |
| High Latency > 100ms | 2 min | Email | Network Admin |
| Packet Loss > 1% | 3 min | Email | Network Admin |
| VLAN Misconfiguration | Immediate | Email | Network Admin |
#### 3.8.4 Disaster Recovery Procedures
1. **Core Switch Failure:**
- Activate LACP ports 1-2 on SG3210X-M2
- Re-route critical traffic through backup paths
- Restore within 15 minutes
2. **Router Failure:**
- Manual failover to backup router
- Update DHCP gateway addresses
- Restore within 30 minutes
3. **Internet Outage:**
- Activate 4G/LTE backup connection
- Update DNS records if needed
- Restore within 5 minutes
4. **Power Outage:**
- UPS maintains critical infrastructure for 2 hours
- Generator activates after 5 minutes
- Full service maintained
## 4. 🔥 Firewall Rules (ACLs) & Port Forwarding
กฎของ Firewall จะถูกกำหนดบน Omada Controller และอุปกรณ์ Gateway (ER7206) ตามหลักการอนุญาตแค่สิ่งที่ต้องการ (Default Deny)
@@ -138,11 +389,11 @@ graph TB
**IP Groups:**
- `Server`: 192.168.10.8, 192.168.10.9, 192.168.10.111
- `Server`: 192.168.10.8 (QNAP), 192.168.10.9 (ASUSTOR), 192.168.10.111 (Zyxel NAS326)
- `Omada-Controller`: 192.168.20.250
- `DHCP-Gateways`: 192.168.30.1, 192.168.70.1
- `QNAP_Services`: 192.168.10.8
- `Internal`: 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24
- `Internal`: 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24
- `Blacklist`: (เพิ่ม IP ประสงค์ร้าย)
**Port Groups:**
specs/03-Data-and-Storage/deltas/.gitkeep
View File
specs/03-Data-and-Storage/deltas/README.md
+65
View File
@@ -0,0 +1,65 @@
# Schema Deltas
Incremental SQL scripts applied to existing environments **after** the canonical schema
(`../lcbp3-v1.8.0-schema-02-tables.sql`) has been updated.
## Naming Convention
```
YYYY-MM-DD-descriptive-name.sql
```
Examples:
- `2026-04-22-add-rfa-revision-column.sql`
- `2026-04-25-index-correspondence-created-at.sql`
- `2026-05-01-add-workflow-step-attachment-table.sql`
## Rules (per ADR-009)
1. **Never replace** the canonical `lcbp3-v1.8.x-schema-02-tables.sql` — update it first, then add the delta here.
2. **Idempotent where possible** — prefer `CREATE TABLE IF NOT EXISTS`, `ALTER TABLE … ADD COLUMN IF NOT EXISTS`, etc.
3. **No TypeORM migrations** — these `.sql` files are the only schema deployment mechanism.
4. **Data backfill** goes through **n8n workflows**, not this directory.
5. **Update Data Dictionary** (`../03-01-data-dictionary.md`) in the same PR that adds a delta.
## Delta Template
```sql
-- Delta: <short description>
-- Date: YYYY-MM-DD
-- Related ADR: ADR-XXX (if applicable)
-- Related Spec: specs/NN-NAME/spec.md (if applicable)
-- Applied in: v1.8.X → v1.8.Y
-- ------------------------------------------------------------
-- Schema changes
-- ------------------------------------------------------------
ALTER TABLE <table>
ADD COLUMN <col> <type> <constraints>;
-- ------------------------------------------------------------
-- Indexes (if needed)
-- ------------------------------------------------------------
CREATE INDEX idx_<table>_<col> ON <table>(<col>);
-- ------------------------------------------------------------
-- Verification query (optional)
-- ------------------------------------------------------------
-- SELECT COUNT(*) FROM <table> WHERE <col> IS NOT NULL;
```
## Rollback
Every delta should have a reversible companion (`YYYY-MM-DD-descriptive-name.rollback.sql`)
where physically possible. Dropping `NOT NULL` columns with existing data is explicitly
irreversible — document in the delta header when rollback is impossible.
## References
- [ADR-009 Database Migration Strategy](../../06-Decision-Records/ADR-009-database-migration-strategy.md)
- [Canonical Schema](../lcbp3-v1.8.0-schema-02-tables.sql)
- [Data Dictionary](../03-01-data-dictionary.md)
specs/04-Infrastructure-OPS/switch-configuration-guide.md
+858
View File
@@ -0,0 +1,858 @@
# Switch Configuration Guide — Omada SDN V6
**Version:** 3.0
**Last Updated:** 2026-04-24
**Status:** Production
**Author:** Infrastructure Team
**Maintainer:** NAP-DMS DevOps
**Scope:** LCBP3 Network Infrastructure (SG3210X-M2 + SG2428P)
---
## Table of Contents
1. [Overview](#overview)
2. [VLAN Definitions](#vlan-definitions)
3. [Port Profiles](#port-profiles)
4. [VLAN Mapping](#vlan-mapping)
5. [Network Diagram](#network-diagram)
6. [Configuration Procedure](#configuration-procedure)
7. [Change Log](#change-log)
8. [Quick Reference](#quick-reference--edit-port-values)
9. [Pre-Deployment Checklist](#pre-deployment-checklist)
10. [Testing Guide](#testing-guide--vlan--lacp--stp)
11. [Security & Optimization](#security--optimization-recommended)
12. [Related Documents](#related-documents)
---
## Overview
เอกสารนี้กำหนด Port Profile templates และ VLAN mapping configuration สำหรับ LCBP3 network infrastructure โดยใช้ TP-Link Omada SDN V6 Controller (OC200)
**Audience:** Network Administrator, DevOps Engineer
**Prerequisites:** Omada SDN Controller v6.x, สิทธิ์ Admin บน OC200
**Related ADRs:** ADR-016 (Security), ADR-009 (Database Strategy — ถ้ามี Network DB)
### Network Equipment
| Device | Model | Role |
|--------|-------|------|
| Core Switch | SG3210X-M2 | 10G Core Switch |
| Access Switch | SG2428P | PoE Access Switch |
| NAS Storage | QNAP / ASUSTOR | Network Attached Storage |
| Unmanaged Switch 1 | TL-SG1210P | IP Phone + PC |
| Unmanaged Switch 2 | TL-SL1226P | CCTV |
| Wireless AP | EAP610 | Wi-Fi Access Points |
| Router | ER7206 | Edge Router |
### Configuration Concepts
**Port Profile** — Template defining port-level settings (STP Security, Loopback Control, Multicast Fast Leave, Flow Control, EEE, LLDP-MED, PoE). Port Profiles do NOT contain VLAN configuration.
**Edit Port** — VLAN assignment step where Native Network (Untagged), Tagged Network, and Voice Network are configured, and a Port Profile is applied.
---
## 🧠 Key Concepts (Before Using This Config)
- ใช้ **STP เท่านั้น (เลิก Loop Detection)** — Spanning Tree Protocol สำหรับ loop prevention
- **Harden Access Port ด้วย BPDU Guard** — ป้องกันการเสียบ switch โดยไม่ได้รับอนุญาต
- **กัน Rogue Switch ด้วย Root Guard** — ป้องกัน switch เถื่อนยึด root bridge
- **ทำ Trunk ให้ clean + predictable** — Native VLAN 999 สำหรับทุก trunk port
- **เผื่อ future VLAN expansion** — รองรับ VLAN เพิ่มเติมในอนาคต
- **VLAN 999 (was 99)** — เปลี่ยนจาก VLAN 99 เป็น 999 เพื่อความปลอดภัย
---
## VLAN Definitions
| VLAN ID | Name | Purpose | Subnet | Gateway | DHCP Range |
|---------|------|---------|--------|---------|-------------|
| 10 | NAS-ADMIN | NAS Storage & Admin Desktop | 192.168.10.0/24 | 192.168.10.1 | 192.168.10.50199 |
| 20 | MGMT | Network Management (OC200) | 192.168.20.0/24 | 192.168.20.1 | 192.168.20.50199 |
| 30 | USERS | User PCs, Printers, Staff WiFi | 192.168.30.0/24 | 192.168.30.1 | 192.168.30.50199 |
| 40 | CCTV | CCTV Cameras, IoT Devices | 192.168.40.0/24 | 192.168.40.1 | 192.168.40.50199 |
| 50 | VOICE | IP Phones | 192.168.50.0/24 | 192.168.50.1 | 192.168.50.50199 |
| 70 | GUEST | Guest WiFi | 192.168.70.0/24 | 192.168.70.1 | 192.168.70.50199 |
| 999 | NATIVE | Trunk Native VLAN (No DHCP) — Hardened | — | — | — |
| 60 | UNUSED | Reserved for future use | — | — | — |
---
## Port Profiles
### Profile 1 — 001-CORE-TRUNK-LACP 🔷
**Purpose:** LACP trunk links between Core and Access switches / Router
**Applied To:**
- SG3210X-M2 Port 12 (to SG2428P Port 2122)
- SG3210X-M2 Port 9 (to ER7206)
- SG2428P Port 2122 (to SG3210X-M2 Port 12)
**Configuration:**
```bash
Loopback Control: Spanning Tree
STP:
- Loop Protect: ENABLE
- Root Protect: DISABLE
- TC Guard: DISABLE
- BPDU Guard: DISABLE
- BPDU Filter: DISABLE
General:
- Flow Control: ON
- EEE: OFF
- Port Isolation: OFF
```
📌 **ใช้กับ:** Core ↔ Access, Core ↔ Router
---
### Profile 2 — 002-NAS-LACP 🔷
**Purpose:** LACP links to NAS storage devices (QNAP / ASUSTOR)
**Applied To:**
- SG3210X-M2 Port 34 (to QNAP)
- SG3210X-M2 Port 56 (to ASUSTOR)
**Configuration:**
```bash
Loopback Control: Spanning Tree
STP:
- Loop Protect: ENABLE
- Root Protect: DISABLE
- BPDU Guard: DISABLE
General:
- Flow Control: ON
- EEE: OFF
```
⚠️ **เหตุผล:** NAS บางรุ่นส่ง BPDU แปลก ๆ → ห้ามเปิด BPDU Guard
---
### Profile 3 — 003-UNMANAGED-SWITCH 🔷⭐ (สำคัญมาก)
**Purpose:** Downstream links to unmanaged switches — ป้องกัน Rogue Switch
**Applied To:**
- SG2428P Port 25 (to TL-SL1226P — CCTV)
- SG2428P Port 26 (to TL-SG1210P — IP Phone + PC)
**Configuration:**
```bash
Loopback Control: Spanning Tree
STP:
- Root Protect: ENABLE 🔥
- Loop Protect: ENABLE
- BPDU Guard: DISABLE
- TC Guard: DISABLE
General:
- Flow Control: ON
- EEE: OFF
```
📌 **ป้องกัน:** เสียบ switch เถื่อน → ยึด root ไม่ได้
---
### Profile 4 — 004-AP-TRUNK 🔷
**Purpose:** Trunk links to wireless access points (EAP610)
**Applied To:**
- SG2428P Port 116 (to EAP610)
**Configuration:**
```bash
Loopback Control: Spanning Tree
STP:
- Edge Port: ENABLE
- BPDU Guard: ENABLE 🔥 (optional แต่แนะนำ)
- Loop Protect: DISABLE
General:
- Flow Control: ON
- EEE: OFF
```
📌 **หมายเหตุ:** AP ไม่ควรส่ง BPDU → เปิด guard ได้
---
### Profile 5 — 005-VOICE-ONLY 🔷
**Purpose:** Direct connections to IP phones
**Applied To:**
- SG2428P Port 1718 (to IP Phone)
**Configuration:**
```bash
Loopback Control: Spanning Tree
STP:
- Edge Port: ENABLE
- BPDU Guard: ENABLE 🔥
General:
- LLDP-MED: ENABLE
- Flow Control: ON
```
---
### Profile 6 — 006-ACCESS-PC 🔷⭐
**Purpose:** Direct connections to PCs and printers — Hardened Access Port
**Applied To:**
- SG2428P Port 23 (to Printer)
- SG3210X-M2 Port 8 (to Admin Desktop)
- General PC connections
**Configuration:**
```bash
Loopback Control: Spanning Tree
STP:
- Edge Port: ENABLE
- BPDU Guard: ENABLE 🔥🔥🔥 (สำคัญสุด)
General:
- Flow Control: ON
- EEE: OFF
```
📌 **ถ้ามีคนเสียบ switch:** → Port จะ shutdown ทันที
---
### Profile 7 — 007-DEFAULT-MGMT 🔷
**Purpose:** Default configuration for management ports
**Applied To:**
- Management ports
- Ports requiring no special configuration
**Configuration:**
```bash
Loopback Control: Spanning Tree
STP:
- Edge Port: ENABLE
- BPDU Guard: ENABLE
General:
- Default
```
---
## VLAN Mapping 🔶
### SG3210X-M2 (Core) Port Configuration
| Port | Destination | Profile | Native (Untagged) | Tagged | Voice |
|------|-------------|---------|-------------------|--------|-------|
| 1-2 | SG2428P (LACP) | 001-CORE-TRUNK-LACP | 999 | 10,20,30,40,50,70 | Off |
| 3-4 | QNAP (LACP) | 002-NAS-LACP | 10 | 20 🔥 | Off |
| 5-6 | ASUSTOR (LACP) | 002-NAS-LACP | 10 | 20 🔥 | Off |
| 7 | Reserved (future expansion) | 007-DEFAULT-MGMT | 999 | None | Off |
| 8 | Admin Desktop | 006-ACCESS-PC | 10 | None | Off |
| 9 | ER7206 | 001-CORE-TRUNK-LACP | 999 | 10,20,30,40,50,70 | Off |
| 10 | Reserved (future expansion) | 007-DEFAULT-MGMT | 999 | None | Off |
📌 **NAS (Port 3-6) ปรับใหม่:** เพิ่ม Tagged VLAN 20 สำหรับ MGMT redundancy
---
### SG2428P (Access) Port Configuration
| Port | Destination | Profile | Native (Untagged) | Tagged | Voice |
|------|-------------|---------|-------------------|--------|-------|
| 1-16 | EAP610 | 004-AP-TRUNK | 999 | 10,20,30,40,50,70 🔥 allow all | Off |
| 17-18 | IP Phone | 005-VOICE-ONLY | 50 | None | Enable (VLAN 50) |
| 19-20 | Reserved (future expansion) | 007-DEFAULT-MGMT | 999 | None | Off |
| 21-22 | SG3210X-M2 (LACP) | 001-CORE-TRUNK-LACP | 999 | 10,20,30,40,50,70 | Off |
| 23 | Printer | 006-ACCESS-PC | 30 | None | Off |
| 24 | OC200 | 007-DEFAULT-MGMT | 20 | None | Off |
| 25 | TL-SL1226P (CCTV) | 003-UNMANAGED-SWITCH | 40 | None | Off |
| 26 | TL-SG1210P (IP Phone + PC) | 003-UNMANAGED-SWITCH | 30 | 50 | Enable (VLAN 50) |
| 27-28 | Reserved (future expansion) | 007-DEFAULT-MGMT | 999 | None | Off |
📌 **AP Ports (1-16) ปรับใหม่:** Allow all VLANs สำหรับ future expansion
---
## Network Diagram
```
┌──────────────┐
│ ER7206 │
│ (Trunk 999) │
└──────┬───────┘
┌──────────────────────────┐
│ SG3210X-M2 (Core) │
│ [Root Bridge 4096] │
└──────────────────────────┘
LACP 1-2 / | | | | \ Reserved
/ | | | | \
▼ ▼ ▼ ▼ ▼ ▼
SG2428P (Access) QNAP ASUSTOR Admin Reserved
[Priority 8192] (VLAN10+20) (VLAN10+20) (VLAN10)
(AP 116 Trunk)
Uplink SG3210XM2 (12) ↔ SG2428P (2122)
WiFi Staff → VLAN 30
WiFi Guest → VLAN 70
CCTV → VLAN 40
IP Phone → VLAN 50
Printer → VLAN 30
Admin Desktop → VLAN 10
NAS → VLAN 10 (+20 MGMT)
OC200 → VLAN 20
```
---
## Configuration Procedure
### Step 1 — Create Port Profiles
1. Navigate to Omada SDN Controller → Port Profiles
2. Create each profile listed in the Port Profiles section
3. Configure all settings as specified
4. **Do not configure VLANs in Port Profiles** (VLANs are configured in Edit Port)
### Step 2 — Configure Port VLANs
1. Navigate to Omada SDN Controller → Switches → Edit Port
2. For each port, configure:
- **Native Network (Untagged)** — The access VLAN for untagged traffic
- **Tagged Network** — VLANs allowed on the trunk (comma-separated)
- **Voice Network** — Voice VLAN (if applicable)
- **Profile** — Select the appropriate Port Profile from Step 1
3. Apply configuration per the VLAN Mapping tables
---
## Change Log
| Version | Date | Changes |
|---------|------|---------|
| 3.0 | 2026-04-24 | **FINAL VERSION** — STP-only (no Loop Detection), BPDU Guard on access ports, Root Guard on unmanaged switch ports, VLAN 99→999, NAS with MGMT redundancy (VLAN 20 tagged), AP allow-all VLANs, Security Hardening section |
| 2.0 | 2026-04-24 | Updated port mappings (LACP 21-22), new VLAN scheme (30/40/50/70), consolidated CCTV/IoT to VLAN 40, added DHCP table, renamed PC-ONLY to ACCESS-PC |
| 1.0 | 2026-04-23 | Initial version with basic port profiles and VLAN mapping |
---
## Quick Reference — Edit Port Values
### SG3210X-M2
| Port | Native | Tagged | Profile | Voice |
|------|--------|--------|---------|-------|
| 1-2 | 999 | 10,20,30,40,50,70 | 001-CORE-TRUNK-LACP | Off |
| 3-4 | 10 | 20 | 002-NAS-LACP | Off |
| 5-6 | 10 | 20 | 002-NAS-LACP | Off |
| 7 | 999 | — | 007-DEFAULT-MGMT | Off |
| 8 | 10 | — | 006-ACCESS-PC | Off |
| 9 | 999 | 10,20,30,40,50,70 | 001-CORE-TRUNK-LACP | Off |
| 10 | 999 | — | 007-DEFAULT-MGMT | Off |
### SG2428P
| Port | Native | Tagged | Profile | Voice |
|------|--------|--------|---------|-------|
| 1-16 | 999 | 10,20,30,40,50,70 | 004-AP-TRUNK | Off |
| 17-18 | 50 | — | 005-VOICE-ONLY | 50 |
| 19-20 | 999 | — | 007-DEFAULT-MGMT | Off |
| 21-22 | 999 | 10,20,30,40,50,70 | 001-CORE-TRUNK-LACP | Off |
| 23 | 30 | — | 006-ACCESS-PC | Off |
| 24 | 20 | — | 007-DEFAULT-MGMT | Off |
| 25 | 40 | — | 003-UNMANAGED-SWITCH | Off |
| 26 | 30 | 50 | 003-UNMANAGED-SWITCH | 50 |
| 27-28 | 999 | — | 007-DEFAULT-MGMT | Off |
---
## Pre-Deployment Checklist
ก่อน Apply ค่า Configuration:
- [ ] สร้าง VLANs 10, 20, 30, 40, 50, 70, 999 ใน Omada Controller (VLAN 999 = Hardened Native)
- [ ] สร้าง Port Profiles 001007 ครบถ้วน (STP Mode — ไม่ใช้ Loop Detection)
- [ ] ตรวจสอบ LACP Group Configuration (Port 1-2 ↔ Port 21-22)
- [ ] ตั้งค่า DHCP Server ตามตาราง VLAN Definitions
- [ ] ตรวจสอบว่า OC200 อยู่บน VLAN 20 และมี IP 192.168.20.x
- [ ] ตรวจสอบ Voice VLAN Enable บน Port 17-18 และ 26
- [ ] กำหนด STP Priority: Core=4096, Access=8192
- [ ] สำรอง Configuration ปัจจุบันก่อน Apply
---
# Testing Guide — VLAN + LACP + STP
การทดสอบทีละ Layer โดยไม่ต้องใช้เครื่องมือพิเศษ — ใช้แค่ PC + ping + OC200 UI
---
## PART 1 — Testing VLAN (Step-by-Step)
### Goal
- ตรวจสอบว่าแต่ละพอร์ตอยู่ VLAN ถูกต้อง
- ตรวจสอบว่า Tagged/Untagged ทำงาน
- ตรวจสอบว่า DHCP แจก IP ถูก subnet
- ตรวจสอบว่า WiFi → VLAN ถูกต้อง
---
### STEP 1 — Test VLAN 10 (NAS-ADMIN)
**Test Equipment:**
- Admin Desktop (Port 8 SG3210X-M2)
- QNAP / ASUSTOR
**Procedure:**
1. Connect Admin Desktop → Port 8
2. Open Command Prompt
3. Type:
```
ipconfig
```
4. Expected IP range:
```
192.168.10.x
```
**Ping Tests:**
```
ping 192.168.10.1 ← Gateway
ping <QNAP-IP>
ping <ASUSTOR-IP>
```
**Expected Result:**
- All pings successful
- Should NOT ping to VLAN 30/40/50/70 (if ACL configured)
---
### STEP 2 — Test VLAN 30 (USERS)
**Test Equipment:**
- General PC
- Printer
- Staff WiFi (SSID: Staff)
**Procedure:**
1. Connect PC → Port 23 or Port 26 (via TL-SG1210P)
2. Type:
```
ipconfig
```
3. Expected IP:
```
192.168.30.x
```
**Ping Tests:**
```
ping 192.168.30.1
ping <Printer-IP>
```
**WiFi Staff Test:**
1. Connect to SSID Staff
2. Type:
```
ipconfig
```
3. Expected IP: 192.168.30.x
---
### STEP 3 — Test VLAN 40 (CCTV/IoT)
**Test Equipment:**
- CCTV Camera (via TL-SL1226P Port 25)
**Procedure:**
1. Open OC200 → Clients
2. Camera must show as VLAN 40
3. Test ping from Admin Desktop:
```
ping <CCTV-IP>
```
**Expected Result:**
- Ping successful
- DHCP must assign IP 192.168.40.x
---
### STEP 4 — Test VLAN 50 (VOICE)
**Test Equipment:**
- IP Phone (Port 1718 SG2428P)
**Procedure:**
1. IP Phone boots up
2. Expected IP:
```
192.168.50.x
```
3. In OC200 → Clients, must see Voice VLAN 50
**LLDP-MED Test:**
In OC200 → Switch → Port 1718, must see:
```
LLDP-MED: Active
Voice VLAN: 50
```
---
### STEP 5 — Test VLAN 70 (Guest WiFi)
**Procedure:**
1. Connect to SSID Guest
2. Type:
```
ipconfig
```
3. Expected IP:
```
192.168.70.x
```
**Isolation Test:**
```
ping 192.168.30.1 ← Must NOT pass
ping 192.168.10.1 ← Must NOT pass
```
---
## PART 2 — Testing LACP (Step-by-Step)
### Goal
- ตรวจสอบว่า LACP ระหว่าง SG3210X-M2 ↔ SG2428P ทำงาน
- ตรวจสอบว่า QNAP/ASUSTOR LACP ทำงาน
- ตรวจสอบว่าไม่มี Mis-config
---
### STEP 1 — Check LACP Status in OC200
**Path:** Insight → Switch → LAG Status
Expected status:
**SG3210X-M2:**
- LAG1 (Port 12) → **Up**
- LAG2 (Port 34) → **Up**
- LAG3 (Port 56) → **Up**
**SG2428P:**
- LAG1 (Port 2122) → **Up**
---
### STEP 2 — Test Load Balancing
**Procedure:**
1. Open QNAP → File Station
2. Copy large file (1020GB) to Admin Desktop
3. Open Task Manager → Performance → Ethernet
4. Must see traffic on both links (Port 34 or 56)
**Uplink Test:**
1. Run Speedtest between PC VLAN 30 → NAS VLAN 10
2. Must achieve > 1Gbps (if 2Gbps LACP)
---
### STEP 3 — Test Failover
**Procedure:**
1. Disconnect cable from **Port 1** of SG3210X-M2
2. LACP must remain **Up** (using Port 2)
3. Disconnect Port 2 → LACP must go Down
Repeat test with QNAP/ASUSTOR
---
## PART 3 — Testing STP (Step-by-Step)
### Goal
- ตรวจสอบว่าไม่มี Loop
- ตรวจสอบว่า Root Bridge ถูกต้อง
- ตรวจสอบว่า STP Security ทำงาน
---
### STEP 1 — Check Root Bridge
**Path:** Devices → SG3210X-M2 → Ports → STP
Expected:
```
SG3210X-M2 = Root Bridge
```
If not, adjust Priority:
```
SG3210X-M2 Priority = 4096
SG2428P Priority = 8192
```
---
### STEP 2 — Test Loop Detection
**Safe Test Method:**
1. Go to TL-SG1210P (Port 26 SG2428P)
2. Create loop with LAN cable (Port 1 ↔ Port 2)
3. Check OC200 → Alerts
Expected alert:
```
Loop Detected on Port 26
Port Shutdown (BPDU Protect)
```
Port must auto-shutdown
---
### STEP 3 — Test STP Blocking
**Procedure:**
1. Connect cable from SG2428P Port 19 → SG2428P Port 20
2. Check OC200 → Switch → Ports
Expected:
```
STP State: Blocking
```
---
### STEP 4 — Test Topology Change (TC Guard)
**Procedure:**
1. Power cycle AP (Port 116)
2. Check OC200 → Logs
Expected: **NO** message:
```
Topology Change Detected
```
Because TC Guard is enabled
---
## PART 4 — Testing Checklist (SOP)
### VLAN Tests
- [ ] VLAN 10 gets IP 192.168.10.x
- [ ] VLAN 30 gets IP 192.168.30.x
- [ ] VLAN 40 gets IP 192.168.40.x
- [ ] VLAN 50 gets IP 192.168.50.x
- [ ] VLAN 70 gets IP 192.168.70.x
### WiFi Tests
- [ ] Staff WiFi → VLAN 30
- [ ] Guest WiFi → VLAN 70
### Device Tests
- [ ] CCTV → VLAN 40
- [ ] IP Phone → VLAN 50
- [ ] Printer → VLAN 30
- [ ] Admin Desktop → VLAN 10
- [ ] NAS → VLAN 10
- [ ] OC200 → VLAN 20
### LACP Tests
- [ ] LACP SG3210X-M2 ↔ SG2428P = Up
- [ ] LACP QNAP = Up
- [ ] LACP ASUSTOR = Up
- [ ] Load balancing works (2Gbps)
- [ ] Failover works (single link failure)
### STP Tests
- [ ] Root Bridge = SG3210X-M2 (Priority 4096)
- [ ] BPDU Guard shutdown test (เสียบ switch ที่ port PC → port ต้อง shutdown)
- [ ] Root Guard works (003-UNMANAGED-SWITCH)
- [ ] STP Blocking works
- [ ] TC Guard works (no topology change on AP reboot)
---
# 🔐 Security Hardening (ต้องทำเพิ่ม)
Required security configurations for Enterprise-grade network protection.
---
## DHCP Snooping 🔥
```bash
Global: ENABLE
Trusted Ports:
- Uplink ไป Router (ER7206)
- Core Trunk (Port 1-2, 9)
```
**Path:** Settings → Wired Networks → Switch → DHCP Snooping
1. Enable **DHCP Snooping** globally
2. Mark **Trusted Ports**:
- SG3210X-M2 Port 9 (to ER7206)
- SG3210X-M2 Port 1-2 (Core Trunk)
- SG2428P Port 21-22 (Uplink to Core)
3. **Untrusted:** ทุก access port (จะถูก block ถ้าส่ง DHCP Offer)
---
## Storm Control (AP Ports) 🔥
```bash
Broadcast: 1%
Multicast: 2%
Unknown: 2%
```
**Path:** Settings → Wired Networks → Switch → Port Profile → 004-AP-TRUNK
1. Navigate to **Bandwidth Control / Storm Control**
2. Configure:
- Broadcast: 1% (หรือ 1000 pps)
- Multicast: 2% (หรือ 2000 pps)
- Unknown Unicast: 2% (หรือ 2000 pps)
3. Save
📌 **หมายเหตุ:** ใช้ percentage หรือ pps ตามความเหมาะสมกับ traffic
---
## STP Priority (Root Bridge Election) 🔥
```bash
SG3210X-M2 (Core): 4096
SG2428P (Access): 8192
```
**Path:** Devices → Switch → Config → STP → Priority
1. **SG3210X-M2:** Set Priority = **4096** (Root Bridge)
2. **SG2428P:** Set Priority = **8192** (Backup Root)
3. Save and verify:
```
OC200 → Topology → Root Bridge = SG3210X-M2
```
📌 **สำคัญ:** Core ต้องเป็น Root Bridge เสมอ
---
## Jumbo Frame 🔥
```bash
MTU: 9000
(ต้องตั้งทุก device ให้เท่ากัน)
```
### SG3210X-M2
**Path:** Devices → SG3210X-M2 → Config → Switch Settings
```
Jumbo Frame: Enable
MTU: 9000
```
### QNAP
**Path:** Control Panel → Network & Virtual Switch → Interfaces
```
MTU: 9000
```
### ASUSTOR
**Path:** Settings → Network → Interface → Advanced
```
Jumbo Frame: 9000
```
⚠️ **คำเตือน:** ถ้าตั้งไม่เท่ากันทุก device → จะมีปัญหา fragmentation หรือ packet drop
---
## 💥 Final Validation Checklist
### Connectivity Tests
- [ ] LACP = UP ทุกเส้น (Core↔Access, NAS)
- [ ] Root Bridge = Core Switch (SG3210X-M2 Priority 4096)
- [ ] เสียบ switch ที่ port PC → port ต้อง shutdown (BPDU Guard)
- [ ] WiFi ได้ VLAN ถูกต้อง (Staff=30, Guest=70)
- [ ] NAS เข้าถึงได้ทั้ง VLAN 10 และ 20
- [ ] Guest VLAN เข้า LAN ไม่ได้ (isolation)
### Security Tests
- [ ] DHCP Snooping blocks rogue DHCP
- [ ] Storm Control limits broadcast
- [ ] BPDU Guard shuts down unauthorized switches
- [ ] Root Guard prevents rogue root bridge
### Performance Tests
- [ ] Jumbo Frame works (MTU 9000 end-to-end)
- [ ] LACP load balancing (2Gbps aggregate)
- [ ] Failover works (single link failure)
---
## Related Documents
- Network Architecture Design — `specs/02-architecture/02-03-network-design.md`
- VLAN Scheme — See [VLAN Definitions](#vlan-definitions) section
- IP Addressing Scheme — See DHCP table in [VLAN Definitions](#vlan-definitions) section
- Security Guidelines — `specs/06-Decision-Records/ADR-016-security-authentication.md`
- Release Policy — `specs/04-Infrastructure-OPS/04-08-release-management-policy.md` (สำหรับ network changes)
---
## Document Metadata
| Property | Value |
|----------|-------|
| **Type** | Infrastructure Specification |
| **Language** | Thai (explanations), English (technical terms) |
| **Standards** | AGENTS.md v1.8.9 |
| **Review Cycle** | Per release or on equipment change |
| **Approval Required** | Yes — Infrastructure Lead + Security Review |