New Network Design - Some advice

dave-lew99

dave-lew99

dave-lew99

Associate
Joined
14 Apr 2008
Posts
1,230
Location
Manchester
Hi All,

My company is moving offices and we're taking the opportunity to implement our network properly, now, since i've been put in charge of it and since my real job is as a software developer, i was looking for some advice on my proposed design.

Now, in an ideal world i'd just use all Cisco kit and be done with it, but because of budgetary constraints and us already owning some kit it's not really practical.

The diagram outlines my current design

netdia1.jpg


The L2 switching consists of:
Current:
2x 16 Gigabit 'LevelOne' branded (these were bought without my knowledge so we're stuck with them)
Cisco 2900XL 24-Port

Proposed
1x Linksys SRW248G4P 48-Port PoE
1x Linksys SLM248G 48-Port

We have a requirement for around 10 IPSEC VPNs and 10 VLANS as well as inter-VLAN routing and statefull firewalling.

When i called one of our suppliers to see what they suggested it became apparent i wasn't going to be able to get away with a Cisco 877 and our current L2 switching. The guy suggested a L3 switch which solves the inter-VLAN routing issue but even though we'd have ACLs there isn't any stateful firewalling.

This has led to the proposed solution to used a PC based software router - ok so the performance isn't going to be as good but we don't have a requirement for high performance inter-vlan routing.

What would you do in this situation? Our current Modem/Router is a Draytek 2800, though we've got a 2820 in the office spare already which could be put to use.
 
iaind said:
Why so many VLANs? Seems unecessary to me
Click to expand...
Inter-VLAN filtering maybe? It's close to what I'm planning for our office at work, where it makes meeting our compliance requirements easier.

One thing stands out is sharing a single ADSL connection between VoIP and Data traffic. You should look at QoS in your firewall/ADSL connection.

akakjs
 
I guess I dont get it :confused:

Whats with the need for so many vlans? whats living in them?
How many hosts you got in each vlan?
Why do these vlans need to speak with each other? they look more like seperate DMZ's to me?
Why is VOIP on a seperate vlan? our mitel system uses pass-thrus on the phone to PC at each desk.
Why is the VPN endpoint connected to another vlan and not just the LAN?
Why is the office vlan seperate to dev? unless its internet facing you could just secure via AD?
Having a PC as your routing to the net is asking for trouble surely, given it wouldnt be as reliable as a specific device?

Id purchase a decent dedicated firewall with 4-5 DMZ's. I'd then connect up your cisco switches to your lan, and have that servicing your office, dev and voip needs. I'd then use the other DMZ's for wifi and "DMZ" using those cheapo linksys switches.
 
Also, the internet side of your diagram doesnt make any sense...

I'm guessing with a single ADSL connection that we're talking less than 20ish users so I cant see the point of any more than 1 or 2 VLANs.

Our Cisco phone system also has a switch in the phone, but the voice is on a separate VLAN - the reason for that is the use of rspan for call recording, otherwise they would be on the same VLAN too. Only other VLANs are the DMZ and a spare ADSL connection which is trunked through to some wireless access points which present 2 SIDs - one internal and one for public use
 
The multiple VLANS are for security - this way i can firewall what is allowed to be routed between them - dev/client VLANs are for when we're building up systems which are to be shipped to clients - often running on different subnets and potentially with their own DHCP servers and things. Our software makes use of multicasting for most of it's data transfer so isolating this down so it doesn't interfere with workstations is just sensible.

Having VPN on it's own VLAN means that should our VPN be compromised it still only has access to the minima of services anyway.

Seperating things out like that greately simplifies management of services like tftp boot servers - on the VoIP vlan it needs to serve config files and firmware for the phones, dev would have the deployment server and office it'll be the backup server. Having to manually update the DHCP config with MACs of different clients depending on which tftp server it needs to point at is increases the administrative overhead, especially when machines change as often as they do with us - typically we have systems in for clients for only a few weeks before it's all change.

As for PC routing to the net, it's as reliable as a dedicated device really, it doesn't perform as well because you haven't got ASICs and FPGAs doing the work, you're using generalised hardware, but then plenty of people use ISA server as well as these linux based firewall distros (which personally i hate) - both in commercial and domestic settings.

Oh and we're not an MS shop when it comes to servers, services auth is handled by LDAP and there's no workstation administrative control.

Internet connection - we've got QoS for VoIP and we're almost certainly going to have a second line in - mostly for redundancy as our internet traffic is quite low anyway (both for normal data and VoIP - it's more of an internal thing).

Oh and please don't say things like

using those cheapo linksys switches
Click to expand...

I did say that we have a budget to worry about or i would have just used decent Cisco kit and be done with it. Trying to keep it under £1,500 or so really.
 
Ill tell you what I think.... :)

I think this is an endeavour of "how unnecessarily complicated can I make my network". This isnt for a proper business; its probably for your bedroom/flat? Nothing wrong with that, but dont confuse your own personal interest in these technologies and how to set them up with what the requirements of a businesss are.

I run a real software company and unless you have some very funky developments and security needs what your talking about is just unnecessary.

and linksys switches are cheapo :p

edit: seems strange that most of your setup as shown in the diagram is on your personal webpage http://www.lewty.org.uk/index.php?p=computers ????
 
How many users are we talking about here?

I'm still not getting the use of all the vlans - fair enough if you want a dev and production vlan but separating voice, office, wifi, vpn etc etc is just madness - if you've got your configuration to the point where it seems necessary then you should step back and look at what you're doing with it.

Anyway, you definitely want to revise the internet side of the diagram for it to even begin to make sense
 
Actually, it's not for home at all, it is for my company and since some of our work is actually highly sensitive the security requirements are not at all unnecessary.

We've had endless meetings to discuss our requirements, we're just trying to sort out the implementation in a design which will scale as our company grows.

If you're not going to help that's fine, but don't call me a liar.

Why doesn't the internet side make sense? It's a modem in bridge, effectively giving you a switch on the internet without NAT, multiple public IPs from our ISP means we can have multiple hosts.

As for users well lets break it down -

7 members of staff, each with a workstation which at any given moment is also running 1-2 virtual machines and each with an IP phone so that's 28 hosts. Plus laptops.
4x Test hosts
15 service hosts (across 4 machines in VMs, for a variety of jobs - LDAP, email, DNS, DHCP, backup, ERP/CRM, software build services, bug tracking, project management, change management, file storage, shared access to modelling software and other stuff)

Between 5 and 10 network based data sensors for RF, Audio and Video

Then each client system is between 6 and 10 devices and if we've got two on the go at once they need to be isolated but still with access to the transfer bay fileserver

Add that to the remote client systems on the VPN (we use it for remote support) you've suddenly ended up with in excess of 80 or so hosts, not to mention the likes of printers and things.
 
Last edited:
Personally would have the Draytek be the only connection to the Internet.

ie

Internet - Draytek - VPN
- NAT Router

and then have the rest of the network as is, and run the VPN vlan as the DMZ off the Draytek.

Whilst I have nothing against people using PC based firewall, (I deploy a lot of Check Point on HP Servers for instance), you need to think carefully of what Firewall Solution putting on there. ( and yes I know that Check Point is way, way, way over your budget.

I see you are running Virtualization, and depending upon how you build some of the servers on there, you can probably minimize or even eliminate the need to route in and out of some of the VLANs such as the dev etc.

Just make sure you spec a decent enough PC to act as the router as otherwise you will just find that the performance between networks is too slow. I know you have said have no high speed requirements, however you will soon run out of patience.

VoIP - I would ALWAYS run VoIP on a separate VLAN to my Data. Even if my PC plugs into the phone and the phone into the switch, you should still be separating the Voice and Data, just from a performance perspective, let alone a security perspective. This is what Mitel and other VoIP solutions allow you to do, you just see one cable though from the switch.
 
Why do you require it to be stateful?

EDIT: An ASA 5505 would solve all of your issues, surely? If your Draytek handles your current requirements fine, you could continue to use that on the edge for ADSL. If you outgrew it or moved to a different internet product you can always look at a solution for that later down the line.

An ASA is well within budget, meets all of your security requirements and can handle up to 25 IPSEC VPN peers. Will cost about the same as buying a capable piece of hardware (even if you went for an "unsupported" white-box approach, which is ugly in any environment!) and relevant software. Unless you want to route inter-vlan at gigabit? In which case your budget is unrealistically low and you should *still* consider an ASA and add a Layer 3 managed switching environment - but that will blow your budget out the water and is one hell of an overkill when you probably are not shifting THAT much data between VLANs regularly?

As said above, you could correctly set up a virtualisation environment that spans your multiple VLANs (which can be done a number of ways with VMWare and certainly others).

Thats how I would approach it I think, so in summary:

ADSL in to the Draytek
Cisco ASA 5505 providing your firewalling and inter-VLAN routing
Your existing switching environment remains intact
Use of Virtualisation to avoid inter-VLAN routing where possible.
 
Last edited:
Stateful is to allow connections into one vlan from the other but not back again - ie if we want to connect to one of the hardware KVM-IP units we send to clients from an office PC etc.

I did want to just use the draytek - but i've been through the manual both for the GUI and the command line interface but the details of the implementation regarding how the VPN is routed is extremely unclear - plus it's VLAN support is somewhat lacking.

If we do go down this PC firewall route, it'll be it's own dedi box - Athlon X2 64 or Opty Quad core or similar with Pro/1000's

The original plan was just to get a Cisco 877 and that should have been enough - it may well be, we're having another meeting on monday to re-evaluate our requirements vs cost of implementation (both time and financial)

Regarding using the internal switches in the IP phones - one of our dev projects is extremely high data rate, thus requiring gigabit to the workstation - and considering there are already lots of data points in the building, we have the space to use seperate cabling - if we run out we can always start using the internal switches for additional devices such as laptops.
 
OMG

I totally forgot about ASAs, that'd be perfect actually.

Routing between VLANs at gigabit isn't a requirement, that would be expensive!

I've already given some thought to minimising routing for servers - multihoming them across VLANs.

I suspect the VPN performance of the Cisco will be far better than that of the draytek too.

Remind me to buy you a beer next time i see you ;)

Now i just need to figure out what the differences are between all the versions so we don't end up paying for features we don't need.
 
It's worth noting the basic ASA 5505 base only supports 3 vlans. It's one of the reasons we got a Juniper SSG for work instead of the ASA; the SSG 140 would be in your price range as well.

akakjs
 
Yeah...so i've just found out, that puts it as a large single expense on the project (it's easier to get lots of cheaper things through and fewer expensive ones)

Still, it's a good valid route to consider, certainly it would be possible to structure it in such a way that we can just do a drop in replacement with it later.
 
How important is the Internet to your business? I mean can you carry on trading without loosing revenue if you was without Internet for a day or 2?

Obviously it is a hight cost but what about getting a proper 10Mb leased line and using the ADSL as a backup? Regardless of your ADSL ISP I would never have a business network on just ADSL. I spent a couple of years chasing various ADSL providors when customer lines went down, and it often took 2-3 days before BT can send an engneer (this was over 2 years ago so may be better now.)

If all your data and voip is on this one line it would be a concern for me. Even an SDSL line is a bit better and has improved support than an ADSL.
 
Last edited:
Internet isn't at all business critical - email gets re-routed elsewhere and we don't need it to operate. The phones use the BT landlines by default (the VoIP service is mostly for international calling)

Theres no way we can justify a leased line when we're only paying ~£35/month now - and in the two years we've been in the current office it's only gone down a handful of times - all of which were solved by rebooting the router. Since we're only moving next door we can expect the same level of service. We were considering using a combination of a BT Wholesale, LLU and 3G based providers to ensure service.

Most of our trading is mostly done by phone, fax and lots of paper.
 
You say that the ASA 5505 would be a significant single expense, but is it really? Its £700 for the edition that you need, compared to the cost of building a routing box and the time taken to set it all up?
 
You must log in or register to reply here.
Back
Top Bottom