Hi all,
I'm hoping to get some help and feedback on how to best design (redesign?) my enterprise's network. I'm not aware of all the technologies available in our field - some I'm aware of but don't know well enough to be designing an enterprise network. I'm a recent college grad with my CCNA. I started recently at this organization and the network design seems off. Don't get me wrong, it's been working this way for years but I think we can do better. Where I struggle is wrapping my head around what to do in attempt to fix it. I'll do my best to explain the current state and end goals clearly. Any thoughts/comments/feedback/suggestions/etc are much appreciated.
Current state:
- Static routing everywhere with the exception being if a branch office ISP goes down, the VPN goes down and appropriate devices remove that VPN route out of its routing table
- Full mesh, site to site VPN (primary)
- Hub and spoke VPN (backup)
- Two ISPs in branch offices
- Here's a diagram of the current state: https://imgur.com/zQfxvbo It's not pretty but it gets the job done for now. I put some small firewall symbols on some routers because we use our firewalls for routers in some places
IP Addressing Scheme:
- All /24
- .0 - .69 located in HQ
- .128 - .133 located in Colo
- .135 - .136 located in Colo
- .138 - .139 located in Colo
- .151 - .153 located in Colo
- Anything >= .70 excluding mentioned colo subnets are branch offices
Notes:
- Site to Site VPN was implemented 5 years ago by current Sr. Net Eng specifically for VoIP traffic. This improved VoIP quality immensely according to him
- No CoS or QoS used
- DMZ/PCI at HQ and Colo
- Currently working on BGP for HQ. Two routers with VRRP and iBGP between them, eBGP with the two ISPs, then a FHRP - the "usual" BGP setup
- HQ services ALL DNS/DHCP requests
- HQ is where 98% of resourceslive
- Also working on separating sensitive/Datacenter subnets from the rest of the enterprise. We'd likely do this with a new core for routing, then connect said core to the current switch fabric and implement ECMP routing
- Here's a diagram of some initial thoughts on topology changes to accommodate for all the things I'm asking about in this post: https://imgur.com/tKLrPtN
- Currently use Fortinet firewalls. They're almost 5 years old now so in the near future we'll be evaluating a different solution
End Goals:
- Have a logically laid out IP addressing scheme(I don't think our current scheme is that great)
- Interested in dynamic routing but not sure how to implement, specifically because of branch offices
- Implement North-South firewalling
- Branch offices need to have seamless failover (if primary ISP fails, backup connections kicks in and routes properly)
Questions:
- What's the best way to implement a dynamic routing protocol, whether it's OSPF, iBGP, etc in the enterprise?
- Is there a need for a full mesh and hub and spoke if SD WAN is implemented properly?
- How would SD WAN be implemented properly?
- To achieve logical, simple routing, we may need to re-IP some subnets?
- Where is the best place to terminate the MetroEthernet?
- Is the network not as bad as I think it is? Should we keep doing what we're doing with only minor changes?
I'm sure I've forgotten things that would help you all respond but hoping that questions will come up and I'll be able to edit the post to include more info. What I really want to get out of this post is to understand how dynamic routing can work in our environment. I mentioned all the other stuff just to make everyone aware of some other initiatives. In the end, it all needs to work together - which is where I'm struggling. Thanks for any help - it's much appreciated.
Edit 00: Oh my gosh this formatting is horrendous. I apologize, trying to fix it currently.
Edit 01: I SUCK at Reddit formatting. Also adding IP addressing - I forgot to put it in and realized it'd be helpful for some of the questions I have.
Edit 02: I figured out that there is a new way to format on Reddit. It looks somewhat acceptable now. Sorry about that.
No comments:
Post a Comment