Diagram of what I am thinking about
Situation is we are a controls company and we are contemplating building a secure and isolated network on top of existing IP infrastructure we don't control and/or maybe a portion of it needs to go over the public internet.
I am pretty familiar with running OpenVPN server in TUN mode and routing info from router to router using different virutal IP subnets. The problem with TUN mode is some newer controllers now have RSTP with the benefit that brings in daisy chains and redundant loops and we want to take full advantage of that.
RSTP Ring 1; We would like to be able to hang a loop off of a VPN device directly but research suggests the Edgerouter itself doesn't support RSTP loop blocking, thus the addition of Edgeswitches. No big deal and this doesn't require OpenVPN TAP.
RSTP Ring 2; We would also like to have the possibility of going from location to location in a ring network. This would look like more of a daisy chain starting in one Edgeswitch and ending in another Edgeswitch, with the TAP OpenVPN network between the two ends completing the ring and the Edgeswitches handling RSTP blocking for the ring. In theory this would add redundancy in a missing Edgerouter, or if the Ring itself was broken somewhere each half could still be accessed.
Something I'm not sure about is in the server itself in TAP mode, can the OpenVPN network have no connection to the customers LAN like it can in TUN mode if you don't add the "route" directive to do that?
No comments:
Post a Comment