My organization is implementing an instance of a global intranet at my site in five of my buildings. We’ll call that network NetX. NetX is carried through an IPsec tunnel over a black transport network. The team coming out to fully implement the network wants the black transport network up and running before taking the trip out.
Currently, a circuit is up and functional at the boundary of my site, and the black transport equipment is up and running in building 3, see picture linked below. The switch pictured in building 3 is connected to other networking equipment ending with an edge router that is connected to the outbound NetX circuit, but that’s not entirely pertinent information.
Three of my buildings have sufficient dark fiber to make direct connections from building 3 to each of them respectively using single mode fiber, but my problem is with the remaining building, labeled building 1 in the picture. This is a rather large site with several other networks so to carry all the data around we have Cisco NCS 2000 series DWDM nodes configured in an east/west ring configuration. The guy before me who had this project planned to leverage the ring as the backbone for the building 1 to building 3 connection and I’m trying to finish that effort.
Additional notes... the transport network relies on three VLANs. The subnets, per the supporting organization, need to be contiguous on all three VLANs on both sides of the building 1/building 3 trunk. There is no NCS 2000 series node in building 1, but to extend the reach of our core layer there is a distribution layer switch in building 1 to connect access layer services without the need for dark fiber between buildings 1 and 2 for each service.
The issue... I’m no DWDM admin but the way it’s been explained to me, you can create a point-to-point link that’s basically just a tunnel, transparent to the devices on either end regardless of VLANs. That would be great if I had an NCS 2000 node in building 1 but I do not; I need to go through the distro switch first. One of the three VLANs is already in use on the distro switch and it’s preferable to keep the data between services completely segregated. One leading suggestion is to use a GRE tunnel between the two NetX switches carried over the distro switch and DWDM, but I don’t know how well that will hold up trying to keep the three subnets contiguous on both sides of the tunnel. Would that mess with broadcast packets? Could that work? I understand GRE tunnels to be essentially a virtual serial connection between routers and any intro to networking class would teach routers separate networks, not extend them so the contiguous VLAN retirement seems at risk with this solution. Is there any solution that you all can identify that would meet my needs?
My apologies in advance. My career has taken me into project management and when I was in network administration it was relatively simple layer 2 stuff anyway so you might lose me if you assume too much intelligence on my end. I’ve worked to google the situation, read up on tunneling protocols, and worked with the DWDM team to understand that system the best I can, but I’m finding all of the networking specials on site aren’t bringing many solutions to the table, just shrugs, so I’m hoping this community might have the answers... or crush the effort definitively.
No comments:
Post a Comment