New Network Design - Some advice

dave-lew99

dave-lew99

dave-lew99

Associate
Joined
14 Apr 2008
Posts
1,230
Location
Manchester
Hi All,

My company is moving offices and we're taking the opportunity to implement our network properly, now, since i've been put in charge of it and since my real job is as a software developer, i was looking for some advice on my proposed design.

Now, in an ideal world i'd just use all Cisco kit and be done with it, but because of budgetary constraints and us already owning some kit it's not really practical.

The diagram outlines my current design

netdia1.jpg


The L2 switching consists of:
Current:
2x 16 Gigabit 'LevelOne' branded (these were bought without my knowledge so we're stuck with them)
Cisco 2900XL 24-Port

Proposed
1x Linksys SRW248G4P 48-Port PoE
1x Linksys SLM248G 48-Port

We have a requirement for around 10 IPSEC VPNs and 10 VLANS as well as inter-VLAN routing and statefull firewalling.

When i called one of our suppliers to see what they suggested it became apparent i wasn't going to be able to get away with a Cisco 877 and our current L2 switching. The guy suggested a L3 switch which solves the inter-VLAN routing issue but even though we'd have ACLs there isn't any stateful firewalling.

This has led to the proposed solution to used a PC based software router - ok so the performance isn't going to be as good but we don't have a requirement for high performance inter-vlan routing.

What would you do in this situation? Our current Modem/Router is a Draytek 2800, though we've got a 2820 in the office spare already which could be put to use.
 
The multiple VLANS are for security - this way i can firewall what is allowed to be routed between them - dev/client VLANs are for when we're building up systems which are to be shipped to clients - often running on different subnets and potentially with their own DHCP servers and things. Our software makes use of multicasting for most of it's data transfer so isolating this down so it doesn't interfere with workstations is just sensible.

Having VPN on it's own VLAN means that should our VPN be compromised it still only has access to the minima of services anyway.

Seperating things out like that greately simplifies management of services like tftp boot servers - on the VoIP vlan it needs to serve config files and firmware for the phones, dev would have the deployment server and office it'll be the backup server. Having to manually update the DHCP config with MACs of different clients depending on which tftp server it needs to point at is increases the administrative overhead, especially when machines change as often as they do with us - typically we have systems in for clients for only a few weeks before it's all change.

As for PC routing to the net, it's as reliable as a dedicated device really, it doesn't perform as well because you haven't got ASICs and FPGAs doing the work, you're using generalised hardware, but then plenty of people use ISA server as well as these linux based firewall distros (which personally i hate) - both in commercial and domestic settings.

Oh and we're not an MS shop when it comes to servers, services auth is handled by LDAP and there's no workstation administrative control.

Internet connection - we've got QoS for VoIP and we're almost certainly going to have a second line in - mostly for redundancy as our internet traffic is quite low anyway (both for normal data and VoIP - it's more of an internal thing).

Oh and please don't say things like

using those cheapo linksys switches
Click to expand...

I did say that we have a budget to worry about or i would have just used decent Cisco kit and be done with it. Trying to keep it under £1,500 or so really.
 
Actually, it's not for home at all, it is for my company and since some of our work is actually highly sensitive the security requirements are not at all unnecessary.

We've had endless meetings to discuss our requirements, we're just trying to sort out the implementation in a design which will scale as our company grows.

If you're not going to help that's fine, but don't call me a liar.

Why doesn't the internet side make sense? It's a modem in bridge, effectively giving you a switch on the internet without NAT, multiple public IPs from our ISP means we can have multiple hosts.

As for users well lets break it down -

7 members of staff, each with a workstation which at any given moment is also running 1-2 virtual machines and each with an IP phone so that's 28 hosts. Plus laptops.
4x Test hosts
15 service hosts (across 4 machines in VMs, for a variety of jobs - LDAP, email, DNS, DHCP, backup, ERP/CRM, software build services, bug tracking, project management, change management, file storage, shared access to modelling software and other stuff)

Between 5 and 10 network based data sensors for RF, Audio and Video

Then each client system is between 6 and 10 devices and if we've got two on the go at once they need to be isolated but still with access to the transfer bay fileserver

Add that to the remote client systems on the VPN (we use it for remote support) you've suddenly ended up with in excess of 80 or so hosts, not to mention the likes of printers and things.
 
Last edited:
Stateful is to allow connections into one vlan from the other but not back again - ie if we want to connect to one of the hardware KVM-IP units we send to clients from an office PC etc.

I did want to just use the draytek - but i've been through the manual both for the GUI and the command line interface but the details of the implementation regarding how the VPN is routed is extremely unclear - plus it's VLAN support is somewhat lacking.

If we do go down this PC firewall route, it'll be it's own dedi box - Athlon X2 64 or Opty Quad core or similar with Pro/1000's

The original plan was just to get a Cisco 877 and that should have been enough - it may well be, we're having another meeting on monday to re-evaluate our requirements vs cost of implementation (both time and financial)

Regarding using the internal switches in the IP phones - one of our dev projects is extremely high data rate, thus requiring gigabit to the workstation - and considering there are already lots of data points in the building, we have the space to use seperate cabling - if we run out we can always start using the internal switches for additional devices such as laptops.
 
OMG

I totally forgot about ASAs, that'd be perfect actually.

Routing between VLANs at gigabit isn't a requirement, that would be expensive!

I've already given some thought to minimising routing for servers - multihoming them across VLANs.

I suspect the VPN performance of the Cisco will be far better than that of the draytek too.

Remind me to buy you a beer next time i see you ;)

Now i just need to figure out what the differences are between all the versions so we don't end up paying for features we don't need.
 
Yeah...so i've just found out, that puts it as a large single expense on the project (it's easier to get lots of cheaper things through and fewer expensive ones)

Still, it's a good valid route to consider, certainly it would be possible to structure it in such a way that we can just do a drop in replacement with it later.
 
Internet isn't at all business critical - email gets re-routed elsewhere and we don't need it to operate. The phones use the BT landlines by default (the VoIP service is mostly for international calling)

Theres no way we can justify a leased line when we're only paying ~£35/month now - and in the two years we've been in the current office it's only gone down a handful of times - all of which were solved by rebooting the router. Since we're only moving next door we can expect the same level of service. We were considering using a combination of a BT Wholesale, LLU and 3G based providers to ensure service.

Most of our trading is mostly done by phone, fax and lots of paper.
 
You must log in or register to reply here.
Back
Top Bottom