I'm a little stuck trying to plan some network changes for a business, mostly because while I'm pretty familiar with VLANs and such, I'm not super familiar with routing and service provider level networking.
Right now our head office has fibre internet. Instead of internet connections at our branch offices, the fibre provider also gives us transparent LAN service between head office and the branches at different buildings. It all goes through the same fibre connection, with different VLAN tags for the internet and each site. On the firewall (pfSense) at the head office, we've got several VLANs setup for each site, using QinQ to double tag the traffic heading to the branch offices. The branch offices just have a QinQ capable switch that adds/removes the service provider VLAN tags over top of the local VLANs and breaking it out into the different networks.
It work fine, but I feel like this isn't great for a couple reasons:
- All the broadcast traffic from the branch offices has to needlessly go over the transparent lan service
- Managing all the separate VLANs as we add more offices from that one pfSense box is getting a little cumbersome. It would be nice if each branch office had it's own pfSense firewall and did most of the work there, with the head office one just sending the traffic to the appropriate VLAN at head office or to the internet.
- I'd prefer that the site to site traffic be encrypted, so if the fibre provider screws something up, nobody is getting access to our internal VLANs. It's not an actual requirement though.
So what's the best way to setup a network where you have several branch offices connected by transparent lan service, each with several separate VLANs, and internet only at the head office?
No comments:
Post a Comment