We have a single campus LAN.
This is what my topology currently looks like:
The picture with the VLANs is just an example. The real network has much more VLANs than this of course. You can see that the two VLANs I've shown here are being spanned across the ENTIRE campus! That's an exception though, one that I'm trying to put right nonetheless, because most other VLANs only stretch from building A back to the core VSS pair, or from building B back to the core etc.
So currently all VLANs are directly connected subnets hanging off the core VSS pair. Some stretch right across the campus, some only down into particular buildings. I am already definitely thinking about pushing IP routing down into each building, away from the core, so that we can instead have these two main core VSS switches only performing IP routing between subnets, to ultimately minimize STP, and move away from the topology shown above to something new like this:
….or even this next one where the same VLAN is somehow tunnelled over VXLAN or something…
Bringing Layer 3 down to the distribution switches in each building isn't what I'm asking for help with here. Basically the reason why I've shown you all this, is because some of the VLANs here are in process of being re-classified as Operational Technology (OT) and we're in process of moving all our OT subnets behind a new firewall pair which I've already built. This FW pair is centrally positioned in the two server rooms, as you can see in the pics .
I'm just exploring the idea of having a VLAN per application/system that isn't limited by geography. Is this something VXLAN would help with?
As mentioned, some VLANs currently span further than a single building which is not ideal from a network engineering perspective. Some are spanning to multiple downstream buildings from the core. Ideally the VLANs should be localized as much as possible obviously, unless there's a reason to span them across campus; I don't think that's the case here btw. But at the same time, I think it would be better to have all the stuff for a particular app/system sat in its own subnet. For example... we have a building management system with outstations spread out across the entire campus, all in different subnets. This whole system needs to be put behind our new firewall. It would be easier to manage and more efficient if all these outstations and the management server for this building management system was all on its own subnet. But with it all currently spread out across multiple different subnets/VLANs across the campus, I'm wondering how I'd go about putting it all on one subnet. Is it possible?
Otherwise, for example, I'll just have to push down IP routing to the individual buildings and then create a dedicated VLAN and SVI in each building/area dedicated for just the outstations in that building/area only, but given the limited number of VLANs we can create on this new firewall we're putting it all behind, has me wondering if this is really a waste of VLANs. In the face of this, you'd likely just tell me to buy a beefier firewall with more VLAN capacity, but that’s' not an option. I'm not sure what the best thing to do is.
No comments:
Post a Comment