Saturday, December 22, 2018

Network Design and Topology Questions

This is my first larger network I'm designing and I want to make sure that I am doing this right. Up until this point most of my experience has been with smaller networks where the customers were not as interested in budgeting for security. Because ideally my customer wants this to be under warranty for at least 3 years, I decided to go with Juniper over Ubiquiti for the switches. For the firewall we are going with Fortinet to stay under budget and to meet their requirements for UTM. As far as access points go I plan on going with Ubiquiti due to how easily they are managed. Some of my questions will be more Juniper related as I am cross posting to r/Juniper, however I figure some other people may have similar questions and it seems appropriate to post here as well.

As far as the network goes it is going to be fairly complex as far as inter-vlan routing goes, and due the budget the edge firewall will also handle internal security. Right now they only have around 10-15 core users, but over time this network may be expanded to provide internet access for up to 600 people. Thats why for now I think it makes sense to invest more into good switches and to have a solid backbone for future expansion. In the event it needs to be massively expanded it would be as simple as replacing the firewall and buying more access switches and access points. Do you think a FortiGate 80E would be a good choice if they only need 75Mb down and 10Mb up for their WAN connection? It would also help secure traffic going from internal corporate devices going to internal servers.

Some Juniper specific questions I have are on virtual chassis and connecting the two switches that will be in a virtual chassis to the core switch. I'm not sure if it would be a loop or if it would be possible for it to be considered part of a LAG. I know that it manages the two switches as one logical device, so I think it would be possible to set that up as a LAG. Here is an overview of the planned topology and how everything will be connected. I understand the copper SFP+ is not officially supported, but it will be needed to take advantage of existing infrastructure. For a setup like this would any of the switches need an Enhanced Feature License, or would it work with the base features?

For security features I planning on segmenting the network into different vlans and providing devices only access to what they need. All corporate devices will need to be authenticated against active directory with Radius, including wired devices. I'm wondering if it would be possible to set some sort of snmp trap that will detect if an unauthorized device tries to connect to a port?

I would really appreciate feedback on this and to get some additional ideas.



No comments:

Post a Comment