We are looking to improve security, manageability, and resiliency on the company network. I am looking for your experience and wisdom on my plans below.
Currently there are few VLAN's:
- Data VLAN is a /16 and is currently used for almost everything: Workstations, servers, PLC's/building control, IP Cameras, Printers, switch management IP's, .. Around 150 nodes on this network.
- Voice
- WLAN Management (for CAPWAP AP's)
- External (for public IP's)
- Guest Wi-Fi
There are 5 plants and a number of other small locations around the campus with switches. The total environment is about 30 switches.
Most of the switches require <24 ports aside from the plant with all of the offices. Each switch has some combination of the following connected:
- AP
- PLC/Building control
- IP Phone
- ATA
- IP Security Camera
- Printer
- Workstation
- Device with a requirement for a public IP that is not managed by us.
Currently this is all a single layer two network. There is a fiber ring between the 5 plants but none of the switches currently have redundant links.
Three of the plants are on one side of the road, two are on the other. The other various buildings are all over on each side.
The office switch on one side of the road and a switch on the opposite side of the road are performing HSRP for the data VLAN.
The current setup is a security, manageability, and resiliency nightmare. These are the items I wish to improve.
My working plan:
This is a larger network than I have worked on in the past. Having done some reading of design guides routed access seems like the current push when practical. This may not be entirely practical due to the fact that many of these swiches have 5 or less devices connected, but here is my working plan:
Step 1 will be to separate these devices on to their own subnets.
Proposed subnets:
- Office PC's
- Office laptop Wi-Fi
- Printers
- Voice
- Servers
- Management (switches, AP controller, UPS's, PDU's, building management, ...). I am strongly considering separating building management from this.
- DMZ
- Secure IT network (for jumpboxes to management and other things) (out of scope for this project)
- Guest Wi-Fi
- Guest wired
- WAN
- An unused VLAN to put inactive ports in.
For this step, we will probably use the firewall as the default gateway of the subnets that will require higher security and no internet access (PLC's/building control, security cameras, management network).
As mentioned there is a switch on each side of the road in HSRP that will will continue be the default gateway for the user wired and wi-fi networks, printer network, and so on.
Step 2. This is where I will be working in new territory:
If my understanding from reading is correct, the next part of my plan would be to bring the default gateway for all of the networks to the HSRP switches. I believe I can use VRF's to separate the routing tables for things like management / building control networks. This way routing between these networks could still be performed by the firewall, but the HSRP switches could be used as the gateway for some redundancy.
If I do not go full OSPF routing for each plant, at this point I would at a minimum like to setup a separate L3 domain for each side of the road using the HSRP switches.
I believe at this point I could begin to have redundant connections for some of the more important switches - They could each have a L2 link to a switch on their side of the road and the other side, using redundant fiber paths in the ring.
Maybe an OSPF design is the way to go at some point. I will begin looking in to that.
I may even precede step 1 by setting up an etherchannel link between the HSRP switches for now using redundant paths. Utilizing RSTP+ at the present time for redundancy does not seem practical. I did some reading and our STP diameter is huge as it is without any redundant links. This is due to the layout and current connection scheme of all the switches.
This is an entirely Cisco switching environment at present. Most models are EoL.
The "Core switch" will be getting replaced this year. The "Core switch" is currently the switch in the plant with the offices. It is a stack of 6 switches that has the WAN links, firewalls, workstations, servers, printers, AP's, and many of the other switches connected to it. It is one of the HSRP switches.
At some point I hope to put a pair of core/distribution switches at each side of the road and have those link down neatly to as many of the other switches as I can. This can allow the giant stack in nearest the offices to become an access switch. We could then also have a separate pair of access switches to connect the servers and infrastructure to.
Am I way off base with any of this? Does any of this seem wildly out of order to you? Am I making any mistakes that will end up causing the need to repeat a ton of work?
I also need to research some design guides that cover using loopback addresses for L3 router links at some point.
No comments:
Post a Comment