Greeting's, this is my first attempt at network connectivity and hence would truly appreciate if community at large can review and guide me through it.
We have one main office with 7 branch offices. We don't plan to expand over 12-15 branch offices (even if we do, I feel my following assumptions and design should stand).
We plan to have P2P VPN lines between offices. I have proposed that we use 172.16/12 subnet. With 172.16.x.x for HQ and 172.17.x.x and so on for each branch. We will never have over 500 PC's per branch.
There are as of now 6 departments and I have proposed 172.16.1.x and so on for each department which will stay consistent over the branches.
We have (for whatever) reason L3 switches all around and each switch may hold computers of 2 or more departments. Hence to segregate I've proposed VLANs which will be (VLAN IDs) consistent between switches (I am unsure of this part). Hence, if sales computers are in VLAN2 on switch 2. Other switches (switch 3 for example) will have VLAN2 holding subnet and PC dedicated to sales. I've attached a diagram for better explanation.
I want to know if it's possible for inter VLAN communication based on the diagram I've attached and of course the changes recommend based on our needs.
I am certain of having made mistakes with trunking. Please do guide me through it. Will the firewall be able to see IP's of endpoint with trunking on uplinks and L3 switch. Also all the switches in the diagram are L3
Thanking you all in anticipation!
Edit:
My requirements are for L3VPN as per one of the answers. Thank you again. Just to confirm and reiterate since this is critical and my job hangs on getting it right –
As someone suggested – I am planning to shift to 10/8 subnet for better expendability.
Hence:
1. HQ will have 10.1.0.0 subnet
-
Branches will start with 10.2.0.0 series.
-
There will be further subdivision of IP ranges using VLANs per department. This will be consistent throughout the organization
A. Sales will be allocated 10.1.1.0 in HQ.
B. 10.2.1.0 in branch 1 and 10.3.1.0 in branch 3 – so on and so forth.
Network device topology will remain consistency throughout branches: - ISP CPE – Firewall – L3 Core swtich – L3 (working in L2 mode) switches – Endpoints.
Physical topology between branches will be – - Endpoints – L2 Switches – L3 Core switch – firewall – ISP CPE – L3VPN – ISP CPE – Firewall – L3 Core swtich – L3 (working in L2 mode) switches – Endpoints.
Topology with IP addresses for illustration will be:
Endpoints (10.1.1.5) – L2 Switches (10.1.5.2) – L3 Core switch (10.1.1.1) – firewall (10.1.1.250 – question – should this be on same subnet or is it better to have firewall IP as 10.1.0.250) – ISP CPE – L3VPN – ISP CPE – Firewall (10.2.1.250) – L3 Core swtich (10.2.1.1)- L3 (working in L2 mode) switches (10.1.5.2) – Endpoints (10.2.1.5)
Questions:
1. Is this optimum with respect to security (VLAN segregation for each departments), manageability, bandwidth (broadcast domains and compromised endpoint quarantine)?
2. Will a machine on different VLAN and IP subnet (10.1.2.5) communicate with machine at HQ (10.1.1.5) and with 10.2.2.5 (at branch)? I reckon that within the same office (HQ/Branch) machines won't communicate. However, they will between branches of same department (10.1.1.5 with 10.2.1.5).
Thank you very very much to everyone who has reviewed and assisted me with this.
Second diagram
Best Answer
There are many ways to do this. Here are a few observations: