This is mostly a "how would you design this" thought experiment. Constructive criticism and proposed solutions only, please. This network may never exist and the requirements have been selected far above my pay grade, so religious vendor or topology arguments are literally yelling into the wind.
We are moving to new office space. While it would be awesome to design a perfect topology and get a contractor to run drops as normal, this company has only one constant: and that is change. So as we can't really plan, we are instead planning on not being able to plan.
Our biggest current issue is that desks, offices, bullpens, or even walls move somewhat regularly as the powers that be search for optimum synergistic feng-shui. The result is that most endpoints are at the end of a hastily-installed switch daisy-chained off the nearest switch with a random number of uplinks between 1 and 6.
The idea we were kicking around to combat this is micro-segmentation. Instead of the traditional MDF/IDF, we are considering placing the access switches in the ceiling or floor immediately central to the ports it supports. This should accomplish a few things:
- Swtich-to-host runs can be pre-terminated patch cables
- The long and labor-intensive runs are limited to the two fiber uplinks to the dist switches. (two per floor, likely).
- All the cabling can be run in-house with minimal effort
- Orphaned infrastructure can be completely recovered after a change.
Other requirements:
- VLANs need to span all switches in some form or another
- WiFi needs to roam across all switches
- NAC software like ISE is being considered, but not an absolute
- Most hosts need only Internet access
- VoIP phones everywhere
- Approximately 2k endpoints with a 5-year growth expected to 6k.
- We're a 100% Cisco shop, considering Cat9ks for all hardware. Possibly Nexus9k in the core.
So taking those requirements/design notes in hand, we're discussing possible L3/L2 topologies.
- There is the obvious, old-school, L2 access. We use STP (or possibly MLAG if supported) to the Dist layer, where the gateways live. This will definitely work but feels a bit dirty. I'm also worried about the failover times for VoIP
- VXLAN or similar: underlay is L3 everywhere and we run the overlay as needed. Very attractive, but I haven't found many resources on manual configuration. Luckily, this should be an easy-to-automate network, so complex but straightforward configs are okay.
- Every access stack gets its own set of gateways and VLANs. L3 to the access layer. We over-allocate IPs so each switch can support any combination of access ports. VLAN X on switch 1 is allocated from the same supernet as VLAN X on switch 2. ACLs still work on large supernets in the dist/core layers. Downside: high IP use; 48-64 IPs per VLAN per switch. Upside: an IP not only encodes VLAN info, but also the access switch number.
- ???
I'm looking for thoughts on the above topologies, or ideas to add to them.
No comments:
Post a Comment