np-dms/lcbp3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

690428:2116 Update Infras #05
CI / CD Pipeline / build (push) Successful in 5m8s
Details
CI / CD Pipeline / deploy (push) Successful in 1m59s
Details

Browse Source
This commit is contained in:
admin
2026-04-28 21:16:49 +07:00
parent 1a51bfa3c4
commit de059c9edb
5 changed files with 1273 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+12
View File
@@ -1,5 +1,17 @@
# Version History
## 1.8.10 (2026-04-28)
### docs(infra): Network Infrastructure Guide v3.1 — Document Renamed + AMPCOM 2.5G Integration
- **Renamed**: `switch-configuration-guide.md``04-network-infrastructure-guide.md` (better reflects comprehensive scope: switches, VLAN, security, topology)
- **Added**: AMPCOM ZX-SWTGW218AS 2.5Gbps switch integration
- **Updated**: SG3210X-M2 port mapping (Port 8→AMPCOM SFP+ 10Gbps, Port 9→ER7206 SFP 1Gbps)
- **Updated**: SG2428P port 17-19 (IP Phone Trunk 3 ports), Port 20 (Hardened MGMT)
- **Updated**: Admin Desktop moved to AMPCOM Port 8 (2.5Gbps access)
- **Added**: Security Hardening sections (DHCP Snooping, Storm Control, STP Priority, Jumbo Frame)
- **Updated**: `04-Infrastructure-OPS/README.md` Document Index with new entry
## 1.8.9 (2026-04-18)
### chore(infra): Docker Compose security hardening — 27 findings (C1S4) addressed
README.md
+3 -3
View File
@@ -3,7 +3,7 @@
> **Laem Chabang Port Phase 3 - Document Management System**
> ระบบบริหารจัดการเอกสารโครงการแบบครบวงจร สำหรับโครงการก่อสร้างท่าเรือแหลมฉบังระยะที่ 3
[![Version](https://img.shields.io/badge/version-1.8.9-blue.svg)](./CHANGELOG.md)
[![Version](https://img.shields.io/badge/version-1.8.10-blue.svg)](./CHANGELOG.md)
[![License](https://img.shields.io/badge/license-Internal-red.svg)]()
[![Status](https://img.shields.io/badge/status-UAT%20Ready-brightgreen.svg)]()
[![Docs](https://img.shields.io/badge/docs-10%2F10%20Gaps%20Closed-success.svg)](./specs/00-Overview/README.md)
@@ -12,9 +12,9 @@
## 📈 Current Status (As of 2026-04-18)
**Version 1.8.9 — Infrastructure Hardening Complete (27 findings → 0)**
**Version 1.8.10 — Network Infrastructure Guide v3.1 + AMPCOM 2.5G Integration**
> v1.8.7 (ADR-021 Integration) + v1.8.8 (Workflow Attachments) shipped Apr 14; v1.8.9 (Compose stack hardening) shipped Apr 18.
> v1.8.9 (Compose hardening) shipped Apr 18; v1.8.10 (Network Infra Guide renamed + AMPCOM integration) shipped Apr 28.
| Area | Status | หมายเหตุ |
| ---------------------- | ------------------------ | ------------------------------------------------------------------ |
specs/04-Infrastructure-OPS/04-network-infrastructure-guide.md
+1111
View File
File diff suppressed because it is too large Load Diff
specs/04-Infrastructure-OPS/README.md
+1
View File
@@ -27,6 +27,7 @@ It consolidates what was previously split across multiple operations and specifi
| **[04-02-backup-recovery.md](./04-02-backup-recovery.md)** | Disaster Recovery | RTO/RPO strategies, QNAP to ASUSTOR backup scripts, Restic/Mysqldump config |
| **[04-03-monitoring.md](./04-03-monitoring.md)** | Observability | Prometheus metrics, AlertManager rules, Grafana alerts |
| **[04-04-deployment-guide.md](./04-04-deployment-guide.md)** | Production Rollout | Blue-Green deployment scripts, **Appendix A: QNAP Container Station**, **Appendix B: Gitea Actions CI/CD**, **Appendix C: act_runner setup** |
| **[04-network-infrastructure-guide.md](./04-network-infrastructure-guide.md)** | 🔥 **Network Design** | Omada SDN configuration, VLAN mapping, Port Profiles, STP Security, AMPCOM 2.5G integration, Security Hardening |
| **[04-05-maintenance-procedures.md](./04-05-maintenance-procedures.md)** | Routine Care | Log rotation, dependency updates, scheduled DB optimizations |
| **[04-06-security-operations.md](./04-06-security-operations.md)** | Hardening & Audit | User access review, SSL renewals, vulnerability scanning, **Appendix A: SSH Setup**, **Appendix B: Secrets Management** |
| **[04-07-incident-response.md](./04-07-incident-response.md)** | Escalation | P0-P3 classifications, incident commander roles, Post-Incident Review |
specs/04-Infrastructure-OPS/switch-configuration-guide.md → specs/99-archives/04-network-infrastructure-guide.md
+137 -71
View File
@@ -1,11 +1,12 @@
# Switch Configuration Guide — Omada SDN V6
# Network Infrastructure Guide — Omada SDN V6
**Version:** 3.0
**Last Updated:** 2026-04-24
**Version:** 3.1
**Last Updated:** 2026-04-28
**Status:** Production
**Author:** Infrastructure Team
**Maintainer:** NAP-DMS DevOps
**Scope:** LCBP3 Network Infrastructure (SG3210X-M2 + SG2428P)
**Scope:** LCBP3 Network Infrastructure (SG3210X-M2 + SG2428P + **AMPCOM ZX-SWTGW218AS 2.5G**)
**Filename:** `04-network-infrastructure-guide.md` (renamed from `switch-configuration-guide.md`)
---
@@ -15,13 +16,16 @@
2. [VLAN Definitions](#vlan-definitions)
3. [Port Profiles](#port-profiles)
4. [VLAN Mapping](#vlan-mapping)
5. [Network Diagram](#network-diagram)
- [SG3210X-M2 (Core)](#sg3210x-m2-core-port-configuration)
- [SG2428P (Access)](#sg2428p-access-port-configuration)
- [AMPCOM ZX-SWTGW218AS (2.5G)](#ampcom-zx-swtgw218as-25g-access-port-configuration)
5. [Network Diagram](#network-diagram-v31)
6. [Configuration Procedure](#configuration-procedure)
7. [Change Log](#change-log)
8. [Quick Reference](#quick-reference--edit-port-values)
9. [Pre-Deployment Checklist](#pre-deployment-checklist)
10. [Testing Guide](#testing-guide--vlan--lacp--stp)
11. [Security & Optimization](#security--optimization-recommended)
11. [Security Hardening](#-security-hardening-ต้องทำเพิ่ม)
12. [Related Documents](#related-documents)
---
@@ -40,12 +44,30 @@
|--------|-------|------|
| Core Switch | SG3210X-M2 | 10G Core Switch |
| Access Switch | SG2428P | PoE Access Switch |
| **2.5G Access Switch** | **AMPCOM ZX-SWTGW218AS** | **2.5Gbps Desktop Switch + SFP+ Uplink** |
| NAS Storage | QNAP / ASUSTOR | Network Attached Storage |
| Unmanaged Switch 1 | TL-SG1210P | IP Phone + PC |
| Unmanaged Switch 2 | TL-SL1226P | CCTV |
| Wireless AP | EAP610 | Wi-Fi Access Points |
| Router | ER7206 | Edge Router |
### New Connection Topology (v3.1)
```
SG3210X-M2 (Core)
├── Port 1-2 (LACP) → SG2428P Port 21-22
├── Port 3-4 (LACP) → QNAP
├── Port 5-6 (LACP) → ASUSTOR
├── Port 7 (SFP+) → [Reserved/MGMT] — Block All
├── Port 8 (SFP+) → AMPCOM Port 9 (SFP+) — Trunk Allow All
├── Port 9 (SFP+ 1Gbps) → ER7206 Port 1 (SFP) — Router Uplink
└── Port 10 → [Reserved/MGMT]
AMPCOM ZX-SWTGW218AS (2.5G Access)
├── Port 1-7 → 2.5Gbps Desktop/Laptop
└── Port 8 → Admin Desktop (VLAN 10)
```
### Configuration Concepts
**Port Profile** — Template defining port-level settings (STP Security, Loopback Control, Multicast Fast Leave, Flow Control, EEE, LLDP-MED, PoE). Port Profiles do NOT contain VLAN configuration.
@@ -399,76 +421,106 @@ Bandwidth Control: Storming Control
### SG3210X-M2 (Core) Port Configuration
| Port | Destination | Profile | Native (Untagged) | Tagged | Voice |
|------|-------------|---------|-------------------|--------|-------|
| 1-2 | SG2428P (LACP) | 001-CORE-TRUNK-LACP | 20 | 10,30,40,50,70 | Off |
| 3-4 | QNAP (LACP) | 002-NAS-LACP | 10 | 20 🔥 | Off |
| 5-6 | ASUSTOR (LACP) | 002-NAS-LACP | 10 | 20 🔥 | Off |
| 7 | Reserved / MGMT Port | 007-DEFAULT-MGMT | 20 | None | Off |
| 8 | Admin Desktop | 006-ACCESS-PC | 10 | None | Off |
| 9 | ER7206 (Router) | 001-CORE-TRUNK-LACP | 20 | 10,30,40,50,70 | Off |
| 10 | Reserved / MGMT Port | 007-DEFAULT-MGMT | 20 | None | Off |
| Port | Destination | Profile | Native (Untagged) | Tagged | Voice | Network Tags |
|------|-------------|---------|-------------------|--------|-------|--------------|
| 1-2 | SG2428P (LACP) | 001-CORE-TRUNK-LACP | 20 | 10,30,40,50,70 | Off | Allow All |
| 3-4 | QNAP (LACP) | 002-NAS-LACP | 10 | 20 🔥 | Off | Allow All |
| 5-6 | ASUSTOR (LACP) | 002-NAS-LACP | 10 | 20 🔥 | Off | Allow All |
| 7 | Reserved / MGMT Port | 007-DEFAULT-MGMT | 20 | | Off | **Block All** 🔒 |
| 8 | AMPCOM Port 9 (SFP+) | 001-CORE-TRUNK-LACP | 20 | 10,30,40,50,70 | Off | **Allow All** 🔥 |
| 9 | ER7206 Port 1 (SFP 1Gbps) | 001-CORE-TRUNK-LACP | 20 | 10,30,40,50,70 | Off | Allow All |
| 10 | Reserved / MGMT Port | 007-DEFAULT-MGMT | 20 | | Off | Allow All |
📌 **NAS (Port 3-6) ปรับใหม่:** เพิ่ม Tagged VLAN 20 สำหรับ MGMT redundancy
📌 **NAS (Port 3-6):** Tagged VLAN 20 สำหรับ MGMT redundancy
📌 **Trunk LACP (Port 1-2, 9):** Native VLAN 20 — ใช้ร่วมกับ Management VLAN เพื่อลดความซับซ้อน
📌 **Port 7 (SFP+):** **Block All** — Isolated Management Port ( hardened )
📌 **Port 8 (SFP+):** Trunk ไปยัง AMPCOM 2.5G Switch — **Allow All VLANs**
📌 **Port 9 (SFP+):** Router Uplink (Fixed 1Gbps) — ER7206 SFP Port 1
📌 **Native VLAN 20:** ใช้ร่วมกับ Management VLAN สำหรับทุก Trunk Port
---
### SG2428P (Access) Port Configuration
| Port | Destination | Profile | Native (Untagged) | Tagged | Voice |
|------|-------------|---------|-------------------|--------|-------|
| 1-16 | EAP610 | 004-AP-TRUNK | 20 | 10,30,40,50,70 🔥 allow all | Off |
| 17-18 | IP Phone Port 1 | 005-VOICE-ONLY | 50 | 30 | Enable (VLAN 50) |
| 19-20 | Reserved / MGMT Port | 007-DEFAULT-MGMT | 20 | None | Off |
| 21-22 | SG3210X-M2 (LACP) | 001-CORE-TRUNK-LACP | 20 | 10,30,40,50,70 | Off |
| 23 | Printer | 006-ACCESS-PC | 30 | None | Off |
| 24 | OC200 (Controller) | 007-DEFAULT-MGMT | 20 | None | Off |
| 25 | TL-SL1226P (CCTV) | 003-UNMANAGED-SWITCH | 40 | None | Off |
| 26 | TL-SG1210P (IP Phone + PC) | 003-UNMANAGED-SWITCH | 30 | 50 | Enable (VLAN 50) |
| 27-28 | Reserved / MGMT Port | 007-DEFAULT-MGMT | 20 | None | Off |
| Port | Destination | Profile | Native (Untagged) | Tagged | Voice | Network Tags |
|------|-------------|---------|-------------------|--------|-------|--------------|
| 1-16 | EAP610 | 004-AP-TRUNK | 20 | 10,30,40,50,70 🔥 allow all | Off | Allow All |
| **17-19** | **IP Phone + PC Trunk** | **005-VOICE-ONLY** | **50** | **30** | **Enable (VLAN 50)** | **Custom** |
| **20** | **Reserved / MGMT** | **007-DEFAULT-MGMT** | **20** | **—** | **Off** | **Block All** 🔒 |
| 21-22 | SG3210X-M2 (LACP) | 001-CORE-TRUNK-LACP | 20 | 10,30,40,50,70 | Off | Allow All |
| 23 | Printer | 006-ACCESS-PC | 30 | | Off | Allow All |
| 24 | OC200 (Controller) | 007-DEFAULT-MGMT | 20 | | Off | Block All 🔒 |
| 25 | TL-SL1226P (CCTV) | 003-UNMANAGED-SWITCH | 40 | | Off | Allow All |
| 26 | TL-SG1210P (IP Phone + PC) | 003-UNMANAGED-SWITCH | 30 | 50 | Enable (VLAN 50) | Custom |
| 27-28 | Reserved / MGMT Port | 007-DEFAULT-MGMT | 20 | | Off | Allow All |
📌 **IP Phone Ports (17-18) ปรับใหม่:** Native VLAN 50 (Voice) + Tagged VLAN 30 (Data for PC ที่ต่อ Port 2 ของ IP Phone)
📌 **IP Phone Ports (17-19):** Native VLAN 50 (Voice) + Tagged VLAN 30 (Data) — **3 Ports สำหรับ IP Phone Trunk**
📌 **AP Ports (1-16) ปรับใหม่:** Allow all VLANs สำหรับ future expansion — Native VLAN 20 ร่วมกับ Management
📌 **Port 20 (MGMT Hardened):** **Block All** — Isolated Management Port สำหรับ future use
📌 **SG2428P MGMT (Port 19-20, 27-28):** Access Switch ต้องการ Management IP บน VLAN 20
📌 **OC200 (Port 24):** Controller ใช้ VLAN 20 (MGMT) + **Network Tags = Block All** 🔒
📌 **OC200 (Port 24):** Controller ใช้ VLAN 20 (MGMT) และ Hardening ด้วย **Network Tags Setting = Block All** ใน OC200 UI
📌 **AP Ports (1-16):** Allow all VLANs สำหรับ future expansion — Native VLAN 20
---
## Network Diagram
### AMPCOM ZX-SWTGW218AS (2.5G Access) Port Configuration
| Port | Destination | Profile | Native (Untagged) | Tagged | Voice | Speed |
|------|-------------|---------|-------------------|--------|-------|-------|
| 1-7 | 2.5G Desktop/Laptop | 006-ACCESS-PC | 10 | — | Off | **2.5Gbps** |
| 8 | Admin Desktop | 006-ACCESS-PC | 10 | — | Off | **2.5Gbps** |
| **9 (SFP+)** | **SG3210X-M2 Port 8** | **001-CORE-TRUNK-LACP** | **20** | **10,30,40,50,70** | **Off** | **10Gbps** 🔥 |
📌 **AMPCOM Port 9 (SFP+):** Uplink 10Gbps ไปยัง Core Switch — Trunk All VLANs
📌 **Port 1-8:** 2.5Gbps Access Ports สำหรับ Admin/Desktop — VLAN 10 (NAS-ADMIN)
📌 **Admin Desktop:** ย้ายจาก SG3210X-M2 Port 8 มาที่ AMPCOM Port 8 (2.5Gbps)
---
## Network Diagram (v3.1)
```
┌──────────────┐
│ ER7206 │
│ (Trunk 20)
│ (SFP 1Gbps)
│ Port 1 │
└──────┬───────┘
┌──────────────────────────┐
│ SG3210X-M2 (Core) │
│ [Root Bridge 4096] │
│ Port 9 (SFP+ 1Gbps) │
└──────────────────────────┘
LACP 1-2 / | | | | \ Reserved
/ | | | | \
▼ ▼ ▼ ▼ ▼
SG2428P (Access) QNAP ASUSTOR Admin Reserved
[Priority 8192] (VLAN10+20) (VLAN10+20) (VLAN10)
(AP 116 Trunk)
LACP 1-2 / / | | | \
/ / | | | \
▼ ▼ ▼ ▼ ▼ ▼ Port 10
SG2428P (Access) QNAP ASUSTOR AMPCOM Reserved
[Priority 8192] (VLAN10+20) (VLAN10+20) [2.5G Access]
(AP 116) Port 8 → Admin
(VLAN 10)
Uplink SG3210XM2 (12) ↔ SG2428P (2122)
Uplink Connections:
├── SG3210X-M2 Port 1-2 (LACP) ↔ SG2428P Port 21-22
├── SG3210X-M2 Port 8 (SFP+) → AMPCOM Port 9 (SFP+ 10Gbps)
├── SG3210X-M2 Port 9 (SFP+ 1Gbps) → ER7206 Port 1 (SFP)
└── SG3210X-M2 Port 7 → [Reserved/Block All]
WiFi Staff → VLAN 30
WiFi Guest → VLAN 70
CCTV → VLAN 40
IP Phone → VLAN 50
Printer → VLAN 30
Admin Desktop → VLAN 10
NAS → VLAN 10 (+20 MGMT)
OC200 → VLAN 20
Device VLANs:
├── WiFi Staff → VLAN 30
├── WiFi Guest → VLAN 70
├── CCTV → VLAN 40
├── IP Phone → VLAN 50 (Ports 17-19)
├── Printer → VLAN 30
├── Admin Desktop → VLAN 10 (AMPCOM Port 8, 2.5Gbps)
├── NAS → VLAN 10 (+20 MGMT)
└── OC200 → VLAN 20 (Port 24, Block All)
```
---
@@ -498,6 +550,7 @@ OC200 → VLAN 20
| Version | Date | Changes |
|---------|------|---------|
| 3.1 | 2026-04-28 | **Document Renamed** — Changed from `switch-configuration-guide.md` to `04-network-infrastructure-guide.md` to better reflect comprehensive scope (switches, VLAN, security, topology, AMPCOM 2.5G). **AMPCOM 2.5G Integration** — Added AMPCOM ZX-SWTGW218AS 2.5Gbps switch, SG3210X-M2 Port 8→AMPCOM SFP+ Trunk, Port 9→ER7206 SFP 1Gbps, Port 7→Block All, Port 10→Reserved. SG2428P Port 17-19→IP Phone Trunk (3 ports), Port 20→Block All. Admin Desktop moved to AMPCOM Port 8 (2.5Gbps) |
| 3.0 | 2026-04-24 | **FINAL VERSION** — STP-only (no Loop Detection), BPDU Guard on access ports, Root Guard on unmanaged switch ports, Native VLAN 20 สำหรับทุก Trunk, NAS with MGMT redundancy (VLAN 20 tagged), AP allow-all VLANs, Security Hardening section |
| 2.0 | 2026-04-24 | Updated port mappings (LACP 21-22), new VLAN scheme (30/40/50/70), consolidated CCTV/IoT to VLAN 40, added DHCP table, renamed PC-ONLY to ACCESS-PC |
| 1.0 | 2026-04-23 | Initial version with basic port profiles and VLAN mapping |
@@ -514,29 +567,37 @@ OC200 → VLAN 20
### SG3210X-M2
| Port | Native | Network Tags | Untagged | Tagged | Profile | Voice |
|------|--------|--------------|----------|--------|---------|-------|
| 1-2 | 20 | Allow All | 20 | All (ยกเว้น 20) | 001-CORE-TRUNK-LACP | Off |
| 3-4 | 10 | Custom | 10 | 20 | 002-NAS-LACP | Off |
| 5-6 | 10 | Custom | 10 | 20 | 002-NAS-LACP | Off |
| 7 | 20 | Block All | 20 | — | 007-DEFAULT-MGMT | Off |
| 8 | 10 | Block All | 10 | — | 006-ACCESS-PC | Off |
| 9 | 20 | Allow All | 20 | All (ยกเว้น 20) | 001-CORE-TRUNK-LACP | Off |
| 10 | 20 | Block All | 20 | — | 007-DEFAULT-MGMT | Off |
| Port | Native | Network Tags | Untagged | Tagged | Profile | Voice | Notes |
|------|--------|--------------|----------|--------|---------|-------|-------|
| 1-2 | 20 | Allow All | 20 | All (ยกเว้น 20) | 001-CORE-TRUNK-LACP | Off | LACP to SG2428P |
| 3-4 | 10 | Custom | 10 | 20 | 002-NAS-LACP | Off | QNAP LACP |
| 5-6 | 10 | Custom | 10 | 20 | 002-NAS-LACP | Off | ASUSTOR LACP |
| **7** | **20** | **Block All** | **20** | **—** | **007-DEFAULT-MGMT** | **Off** | **Hardened MGMT** 🔒 |
| **8** | **20** | **Allow All** | **20** | **All (ยกเว้น 20)** | **001-CORE-TRUNK-LACP** | **Off** | **→ AMPCOM SFP+** 🔥 |
| **9** | **20** | **Allow All** | **20** | **All (ยกเว้น 20)** | **001-CORE-TRUNK-LACP** | **Off** | **→ ER7206 SFP 1Gbps** |
| 10 | 20 | Block All | 20 | — | 007-DEFAULT-MGMT | Off | Reserved |
### SG2428P
| Port | Native | Network Tags | Untagged | Tagged | Profile | Voice |
|------|--------|--------------|----------|--------|---------|-------|
| 1-16 | 20 | Allow All | 20 | All (ยกเว้น 20) | 004-AP-TRUNK | Off |
| 17-18 | 50 | Custom | 50 | 30 | 005-VOICE-ONLY | 50 |
| 19-20 | 20 | Block All | 20 | — | 007-DEFAULT-MGMT | Off |
| 21-22 | 20 | Allow All | 20 | All (ยกเว้น 20) | 001-CORE-TRUNK-LACP | Off |
| 23 | 30 | Block All | 30 | — | 006-ACCESS-PC | Off |
| 24 | 20 | Block All | 20 | — | 007-DEFAULT-MGMT | Off |
| 25 | 40 | Block All | 40 | — | 003-UNMANAGED-SWITCH | Off |
| 26 | 30 | Custom | 30 | 50 | 003-UNMANAGED-SWITCH | 50 |
| 27-28 | 20 | Block All | 20 | — | 007-DEFAULT-MGMT | Off |
| Port | Native | Network Tags | Untagged | Tagged | Profile | Voice | Notes |
|------|--------|--------------|----------|--------|---------|-------|-------|
| 1-16 | 20 | Allow All | 20 | All (ยกเว้น 20) | 004-AP-TRUNK | Off | AP Trunk |
| **17-19** | **50** | **Custom** | **50** | **30** | **005-VOICE-ONLY** | **50** | **IP Phone (3 ports)** 🔥 |
| **20** | **20** | **Block All** | **20** | **—** | **007-DEFAULT-MGMT** | **Off** | **Hardened MGMT** 🔒 |
| 21-22 | 20 | Allow All | 20 | All (ยกเว้น 20) | 001-CORE-TRUNK-LACP | Off | LACP to Core |
| 23 | 30 | Block All | 30 | — | 006-ACCESS-PC | Off | Printer |
| 24 | 20 | Block All | 20 | — | 007-DEFAULT-MGMT | Off | OC200 |
| 25 | 40 | Block All | 40 | — | 003-UNMANAGED-SWITCH | Off | CCTV |
| 26 | 30 | Custom | 30 | 50 | 003-UNMANAGED-SWITCH | 50 | IP Phone + PC |
| 27-28 | 20 | Block All | 20 | — | 007-DEFAULT-MGMT | Off | Reserved |
### AMPCOM ZX-SWTGW218AS
| Port | Native | Network Tags | Untagged | Tagged | Profile | Voice | Speed |
|------|--------|--------------|----------|--------|---------|-------|-------|
| 1-7 | 10 | Block All | 10 | — | 006-ACCESS-PC | Off | **2.5Gbps** |
| **8** | **10** | **Block All** | **10** | **—** | **006-ACCESS-PC** | **Off** | **2.5Gbps** 🔥 |
| **9 (SFP+)** | **20** | **Allow All** | **20** | **All (ยกเว้น 20)** | **001-CORE-TRUNK-LACP** | **Off** | **10Gbps** 🔥🔥 |
### ความหมาย Network Tags Setting
@@ -554,14 +615,19 @@ OC200 → VLAN 20
- [ ] สร้าง VLANs 10, 20, 30, 40, 50, 70 ใน Omada Controller (VLAN 20 = Native + Management)
- [ ] สร้าง Port Profiles 001007 ครบถ้วน (STP Mode — ไม่ใช้ Loop Detection)
- [ ] ตรวจสอบ LACP Group Configuration (Port 1-2 ↔ Port 21-22)
- [ ] **AMPCOM Setup:** เพิ่ม AMPCOM ZX-SWTGW218AS ใน Omada → Set Port 9 = Trunk, Port 1-8 = VLAN 10
- [ ] **SG3210X-M2 Port 9:** Fix Speed = 1Gbps (สำหรับ ER7206 SFP Port 1)
- [ ] **SG3210X-M2 Port 8:** เชื่อมต่อกับ AMPCOM Port 9 (SFP+) — Trunk All VLANs
- [ ] ตั้งค่า DHCP Server ตามตาราง VLAN Definitions
- [ ] ตรวจสอบว่า OC200 อยู่บน VLAN 20 และมี IP 192.168.20.x
- [ ] **OC200 Hardening:** Settings → Network → Network Tags Setting = **Block All** (เฉพาะ VLAN 20)
- [ ] **SG3210X-M2 MGMT:** ตั้งค่า Management IP บน VLAN 20 (192.168.20.x) — Port 7, 10 ใช้ VLAN 20
- [ ] **SG3210X-M2 Hardening:** Port 7 = **Block All** (Isolated MGMT)
- [ ] **SG2428P Hardening:** Port 20 = **Block All** (Isolated MGMT)
- [ ] **ER7206 MGMT:** Router มี IP บน VLAN 20 (ผ่าน Tagged) — Native VLAN 20 ใช้ร่วมกับ Management
- [ ] **SG2428P MGMT:** Access Switch ได้รับ IP บน VLAN 20 ผ่าน Uplink — ตรวจสอบใน Devices
- [ ] **AP MGMT:** EAP610 ได้รับ Management IP ผ่าน VLAN 20 — ตรวจสอบการ Adopt
- [ ] ตรวจสอบ Voice VLAN Enable บน Port 17-18 และ 26
- [ ] **IP Phone:** ตรวจสอบ Voice VLAN Enable บน Port 17-19 (3 ports) และ Port 26
- [ ] **Admin Desktop:** ย้ายเชื่อมต่อไปที่ AMPCOM Port 8 (2.5Gbps)
- [ ] กำหนด STP Priority: Core=4096, Access=8192
- [ ] สำรอง Configuration ปัจจุบันก่อน Apply