Thursday, October 22, 2020

New Network Design Insight/Sanity Check

Hello r/networking,

We will be designing a new network for our new building and just wanted to run this by the community for any additional insight. I am a bit rusty as I've spent less tme in in-depth networking for the last 4 years.

Design:

The network will be following a collapsed core/dist design. The core switch is a pure SPF+ Full L3 while the access will be L2 stacked, connected directly to the core via SPF+ fibre. The core switch has redundant PSU's and I will be pushing for another one next year to allow for further redundancy.

Each location will have dedicated DATA/INFRASTRUCTURE/VOIP VLAN with Interfaces for each on the Core. There will be 2 WIFI (internal / guest) VLAN's shared across all access switches (we do not plan to tunnel clients at this stage at the AP level).

There will be a separate SERVER VLAN (loc 4 in the diagram) which will house all our virtual host and related hardware. there will also be a separate vlan for management interfaces (oobe,idrac,etc).

ACLS:

  • Guest can only access the perimeter firewall (for internet).
  • MGMT/INFU can only be accessed via SERVER VLAN or specific IP's
  • All data/wifi VLANs can access each other, as well as SERVER VLAN.
  • All VoIP VLANs can access each other, as well as server VLAN (PBX)

Wiring:

  • Stack members will have 20gbps between themselves.
  • Loc 1,4 will have 4 uplinks SPF+ each (2 top, 2 bottom of the stack)
  • Loc 2,3 will have 2 uplinks SPF+ each (1 top, 1 bottom of the stack)
  • Perimeter will have 4 uplinks SPF+ (2 to each UTM in active/passive)

QoS:

  • VoIP VLANs will be tagged appropriately, followed by management, then best effort for everything else. Will consider doing PVST to split traffic across links.

Diagram: (it was pretty rushed, need to draw a better one later): https://imgur.com/a/KA91Wpo

A possible change (due to the VoIP system possibly being moved cloud, they might need to be on the same VLAN to talk to each other directly, so I might have to span that VLAN across all switches, which won't be great i think, but we have decent backhaul).

Now I know the question will come up "why not L3 at the access/edge?". At this stage, up high requested they would prefer everything routed through a central point (we also have mpls which will be wired into that core, currently passing traffic along via static routes, which I plan to move to BGP in the future)

Apologies for any bad terminology/explanation (rusty) and thanks for any insight/advice.

edit: fixed formating abit



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)