Evening r/networking! This is long and will probably be rambling. I'll try and stick to the facts and stay on track. My background is 15+ years as a jack-of-all trades 'computer guy'. Basic networking, end user support, system administration, etc. This will be by far the largest project I've been involved with and I think it can really help me move in to some new areas of responsibility to escape the 'helpdesk' parts of my work and grow. I've really fallen into a new set of roles (networking and security) so I'm learning as I go and trying not to hyperventilate. :)
Our current network is a bit of a mess, and I've been given the opportunity to build a new sandbox with the hope of it eventually being our new home. Our organization is becoming part of a new entity (5-6 divisions combining to 1 new one), so now is the time for planning and testing to get it right.
The current config is a bit of a mess. A 5516 ASA provided by our ISP (who also controls the AD forest our domain is a part of) feeding a Cisco 4507 'core' switch in our data center feeding 3850 stacks located in other areas of the build for access switch. *Lots* of VLANs (closet A, wireless, wireless guest, VoIP, servers, security cameras, management, etc, etc) with 10.x.x.x subnets; IP blocks were provided by our ISP as they route them all over 'their' network to lots of other divisions/agencies.
IP routing is enabled at the core so it is functioning as the gateway for all of our various subnets. No ACLs or firewalling in place to control access between VLANs with the exception of only allowing the IT network access to the 'mangement' network which contains our switches.
Our AD setup is similarly messy; DNS resolution issues, DHCP errors, trouble with GPO propagation, messy share permissions, etc.
We've been given assigned new 10.x.0.0/16 to begin our sandbox build. Part of this build will be a new AD domain (moving from CORP.forest.com to NEWCORP.forest.com) to migrate our users to long term.
What I'm struggling with wrapping my head around now is where/how to start. Our ISP will handle routing the new IP block to the ASA as well as provisioning our new domain.
I would like to keep the new network as isolated from the current mess as possible (direction old to new) with the exception of allowing access from our existing 'IT' network so we can do the build out.
My thought is to get a firewall set up (possibly pfsense or untangle?) to sit between the two systems. I'll give it a couple ports from our core switch on one side and a couple new switches in the sandbox rack (looking to re-purpose a 9300 for data/LAN connectivity and maybe a 3850 to group together 'management' things) to feed our new hypervisors that will form the core of the new AD domain and allow us to build out from there.
I can have our provider route part (or all) of the /16 toward us to get started.
I have a grip on creating the domain/DNS new servers etc. But the networking part has me a struggling. Any random info you might have would be appreciated; even if it's "Hey look through the cisco docs on private VLANs."
No comments:
Post a Comment