Management has asked that I come up with a viable solution to let a partner agency utilize our network in various locations by installing end devices along with PoE switches, which they will manage and pull data from. The partner agency will essentially use our network backhaul data to their network. Full disclosure our network is mostly cisco and I’ve never had to connect to an outside network with the exception of ISP and VPNs.
Network background: Partner agency devices will be grouped in a separate VLAN. Those device gateways configured on layer 3 distribution switches as SVIs. Distribution switches have point-to-point links, advertise routes back to the core via OSPF. We have a patch panel in the data center that connects to agency.
Business requirements: Partner agency should only be allowed to access their devices; our subnets should remain unreachable to partner agency.
Initially, I wanted to create a separate VRF instance for them. This seemed like the most straightforward and cleanest approach. Turns out we have no dedicated fiber to spare. I was under the assumption I would need to assign each VRF instance to an interface? In other words, I could not run both VRF instances back on the same point-to-point link.
Here is what I’ve implemented so far. Partner agency routes come back to the core via OSPF as described above. Core connected to a newly configured layer 3 switch in datacenter under our control. Running iBPG between both core and new layer 3 switch. Advertising only partner agency routes via iBGP to new layer 3 switch in datacenter. Partner agency has connected pair of racked servers to our switch with the advertised iBGP routes so they can pull data from their end devices. (They have a second network connection from the servers to their own network switch in the same rack.) Their network switch connects to the patch panel which connects to their network.
They plan to install more servers from their DC in ours if needed over time. I thought it might be more efficient to run eBPG between our switch and their racked switch. Essentially, I’ll just hand them the routes they need and they can keep their servers in their DC. Does this seem like a good idea?
We are currently in the testing phase and I can’t help but think I’m missing something here. Is there an alternative approach that seems more logical?
I do have some security concerns. I planned to configure ACLs on the distribution switches to limit the inter-vlan routing of the partner layer 2 PoE switches. Any other suggestions would be greatly appreciated!
tl;dr
Connecting to an outside network, best way to segment traffic in terms of security and scalability.
No comments:
Post a Comment