Kitz Forum
Computers & Hardware => Networking => Topic started by: niemand on August 30, 2017, 11:39:21 PM
-
Infidels, you seem a knowledgeable bunch. I would quite like to verify my home network I'm in the process of building with people who know what they are talking about. If you guys are cool with this I'll attach Visio exported images of both the logical and physical designs, along with WiFi channel plan :)
-
Go for it :cool:
-
Ah haven't bothered going super in-depth. I know what I'm doing and it will work. Suffice to say the relevant port density, VLANs to keep the subnets separate, etc, will be in place :)
The only NAT being done is at the Edge Router - traffic from the office network heading to the Interwebs will go via the ER-Lite. The rest of the network is all routed, and no static routes apart from the one across the /30 between BT and ER-L.
I have 5 x 8 port switches, all of which support VLANs and LACP.
It's a simple enough design, the SD-WAN looks after itself as far as failover goes and the IP-SLA, etc, on the ER-L will ensure a smooth transition in case of outages. Indeed, most things will see TCP sessions reset then resume without further issues.
(https://s26.postimg.org/k9s5jg6s9/Home.jpg)
-
If people are curious I'll do a more in-depth description of what I'm up to :)
-
. . . I'll do a more in-depth description of what I'm up to :)
That might be helpful. ;)
I looked at your diagram and was puzzled as to what you wanted to discuss . . . :-\
-
Offtopic and not really a comment on your network ... but as you are a network nerd, have you taken a look at running RouterOS (https://mikrotik.com/software) on a PC over the EdgeRouter? You can run a trial version in a VM or use WinBox on a demo account. I used to have an EdgeRouter - but am not keen on proprietary hardware, then switched to VyOS, now RouterOS which is more polished(it's run as a VM on Linux in my case).
-
ignition that network is childs play ;)
yes im interested in more details
-
Looking at the network map, the question "Why?" comes to mind. A perfectly valid answer would be "Because I can".
So I am intrigued as to why that network exists! ;)
-
It seemed more complicated when I was trying to visualise it drunk.
Then I sobered up and it wasn't so compared at all.
-
Looking at the network map, the question "Why?" comes to mind. A perfectly valid answer would be "Because I can".
So I am intrigued as to why that network exists! ;)
It provides fail over, segments home office from other things, and, with a policy change, will also partially DMZ a machine that's a little exposed.
I'll put more detail on later. There is a server in the
0.0/24 network that I don't want communicating with things in the 1.0 network unless spoken to.
RIP is to receive routes, the SD-WAN speaks BGP so they both talk that at the ER-L and it redistributes - no static routes.
Unhappy with both WAN links on a single router. Might get another and get my VRRP on.
-
I'll put more detail on later.
I'm sure it will all become clear . . . eventually. ;)
-
I don't want the ER-L to be doing too much DHCP detail. It doesn't seem to go well.
The EA9500 doesn't have a dedicated AP mode, so using it as a router is a good plan.
There are limits on amount of cabling available. Initially VM and BT WANs share a single cable, so VLANage needed. When either of them reach 500Mb/s throughput a second cable will be run, as the tromboning of the traffic will cause a bottleneck otherwise.
The alternative would be to connect them directly to the VM hub to pull publics, however that would break resiliency as they've only one possible route.
Switches running 4 VLANs for the most part: red, green, blue, yellow. The office switch also gets orange.
Red is the publicly addressed VM network.
Blue the BT <> ER-L network.
Green is the 192.168.0.0/24 ER-L LAN-side network.
Yellow is the 192.168.2.0/24 wireless / EA9500 LAN-side network.
Orange is a VLAN that is purely there to connect lan0 port on the SD-WAN device to the docking station up there. This goes through a switch so that the SD-WAN doesn't see the port of dropping and alarm every time the laptop is powered off.
There are 2 switches on the ground floor, one behind the TV taking the WAN feeds, another connecting to the EA9500 and to the other floors.
The link between the two ground floor switches carries red, blue and yellow. Red and blue for WAN transport, yellow to connect a couple of wired devices near the TV to the EA9500.
There's an 802.11ad LAG between ground and office, and between ground and top floor, 2 x GigE each.
The link between ground and office carries VLANs red and green. Red for public IP, green for ER-L LAN.
The link between ground and top floor carries yellow. No need for public IP, an AP is going up there which requires yellow.
Firewalling is handled by NAT in 3 places - BT modem/router, ER-L and SD-WAN's publicly addressed interface.
So this is why the design is as it is.
-
Out of interest what were the reasons for each of the two routing protocols? Also, what do you use as target(s) for your IP SLA? We seem to always be reviewing what makes a sensible target, I am still in two minds whether it's best to be checking only the local ISP or whether to test one or more targets in the wider Internet. It needs to be testing something that you don't access in normal use, or that you can go without during failover.