6

I have a head office and a number of suboffices. Both head office and suboffices need to access some corporate server, which is physically in the head office. But suboffices should not be able to access head office or each other. Suboffices are at the substantial distance of each other and from the head office (many kms).

Network structure

How do I design the network for this task?

I suppose, each suboffice should have internet access. Central Server LAN switch should have static IP and OpenVPN software installed. For example, SubOffice1 network is 10.0.1.x, SubOffice2 10.0.2.x etc, Head office 10.254.x.x, Central Server LAN 192.168.0.x.

When suboffice PC or head office PC needs to access Central Server, a PC starts VPN connection for this to the central server.

I should then use routers for each network and setup firewall so that it permits connections from inside network only except for the Central Server LAN router.

Is this correct? May be there are some important details I should keep in mind building this network? What hardware would you recommend for this (routers, supporting needed firewalling modes etc)?

ADDED 07/05/2012:

Our ISP can provide nothing except for Internet access. I cannot expect them to support anything like MPLS. ISPs are different in each suboffice and head office.

The number of suboffices are like 20.

Connections from suboffices into the head office needs to be encrypted because it will be routed through internet.

I want suboffices to be isolated from head office and from each other completely so that no packet can travel there and back.

I plan to have only Linux PCs in the offices, but there can be also some Windows machines. No Active Directory or something. Just a PC under Windows/Linux.

Any good books out there on the subject?

Vladislav Rastrusny
  • 2,581
  • 12
  • 39
  • 56

4 Answers4

6

Matt Simmons wrote a series of excellent articles for simple-talk that you may find instructive;

  1. Networking The Crib Sheet
  2. Physical Network Layout for the Reluctant
  3. Logical Network Layout for Small Networks

But first a few points on your design:

  1. Suboffice = "branch office" you can google for "branch office network design" to get a good idea of what's available and what's generally deployed in these situations.
  2. Don't confuse your IP space, it's okay to use a 10.n.n.n network across all of your LAN. Use subnets and VLANs to separate your broadcast domains. The use of a 192.168.n.n in your server LAN adds needless complexity (to an arbitrary decision).
  3. Don't make each client responsible for establishing VPN connections, this will lead to as many headaches as there are clients. Establish the VPN at the router (or another dedicated VPN device).
  4. Contact your ISP/Carrier to see what type of equipment they offer for your type of service. This may effect your decisions for deployment.
  5. Specific hardware ... look to the cisco ASA series they offer firewall, VPN, and routing all in a small package.

Good luck!

Update

You asked for a few books to get started with, I can offer you a few that deal directly with your problem here, and there are a few excellent books recommended elsewhere on serverfault that will help you in other ways as you need them.

More specifically I would recommend starting with the CISCO CCNA series of books. It seems like you've already been thrown into the deep end of the pool with such a large deployment. The Cisco Press CCNA ICND1 will address many of the fundamental topics you need to learn. You can also try the COMPTIA Network+ book as well. I have never read it but it will offer a few new perspectives not offered in the CCNA.

Pay particular attention to the OSI Model, especially the differences between Layers 1, 2, and 3.

Beyond that, I would begin to look for "white papers" and "best practices" for branch office deployments (there are a few you will see in the google search I posted previously). Sysadmin only really learn something by doing it, think of this as applied engineering. There are often equal measures of analytic thought and by the seat of your pants action.

Since you have 20 or more offices you will want to be able to centrally manage all of your services. You can start by calling around to different vendors and ask them for a solution (don't commit to anything on the phone! You can almost always ask for a better price, or extra equipment, or extra support, you are only buying 20 devices, but that's probably more than most). Also, don't believe 90% of what the vendor sales representative tells you, come back here and ask another question about the specific deployments you had in mind.

Once again, Good luck!

Community
  • 1
Joseph Kern
  • 9,809
  • 3
  • 31
  • 55
  • 2
    I would also look at Sonicwall for your VPN connections as an alternative to Cisco – SpacemanSpiff May 07 '12 at 01:03
  • Budget constraints weren't specified but I'd suggest evaluating other solutions before a SonicWall. My experience with customers that had deployed them while working for an ISP was that they were a major source of bogus trouble tickets... – Joshua Hoblitt May 07 '12 at 06:12
  • Can you recommend me a good book on the subject? I mean a book that can guide me in the design of such networks? – Vladislav Rastrusny May 07 '12 at 08:26
  • Sure! updated above. – Joseph Kern May 09 '12 at 02:10
  • @SpacemanSpiff Isn't that cheaper just to buy a cheap PC and install something like Zentyal, pfSense or ClearOS on it? – Vladislav Rastrusny May 09 '12 at 21:30
  • @JosephKern It would be good to be able to avoid Cisco solitions for a while for me since they are a bit expensive :) – Vladislav Rastrusny May 09 '12 at 21:36
  • If you want to go cheap and realativly easy [SmoothWall](http://www.smoothwall.org/) has been my favorite. But the ICND1 book is still a good choice, even if you aren't deploying cisco. – Joseph Kern May 10 '12 at 00:05
  • 1
    The lowest end Sonicwalls can be had for $300 to $400. Yes you could build a PC for cheaper, marginally. I've found that most people's issues with SonicWall come from not reading the manual. – SpacemanSpiff May 10 '12 at 01:36
  • @SpacemanSpiff at $300 - $400 you probably couldn't build a pc with the same throughput (unless you put it a lot of research). – Joseph Kern May 10 '12 at 04:49
  • Yep... and with it you get a buttload of nice features, content filtering, anti-virus and intrusion protection, dedicated hardware for the IPsec tunnel decryption. I love them for what they are. A Juniper SRX can get it done too, but not so cheaply. – SpacemanSpiff May 10 '12 at 04:55
3

I really suggest going over this again. Switches are Layer 2 devices, and do not usually deal with IPs and especially not VPNs.

The best solution would be to have VPN enabled routers in each office, and then set up site-to-site vpn to the central office, and set up routing correctly. You can do this even with OpenVPN and PCs with multiple network cards if you have small networks.

Subnet numbering is not important, just don't overlap the networks. You will also need subnets for router-router connections (/30 is good enough), unless you use L2 vpn and bridge the routers to your central internal network.

For two offices, routing can be done manually.

mulaz
  • 10,472
  • 1
  • 30
  • 37
  • Are there any routers, that support both VPN and failover (I need to have two independent internet access channels in each suboffice since connection to the central server is vital for suboffice) with a price up to $350? I have a low budget for this. Updated my question to include additional info. Thanks. – Vladislav Rastrusny May 07 '12 at 09:00
  • Posted a list I found to my [blog](http://ru.fractalizer.ru/frpost_218/список-недорогих-роутеров-до-10000-руб-по/). – Vladislav Rastrusny May 09 '12 at 21:31
1

I will avoid duplicating the good advice that's already been posted to this thread but I would like add a point of consideration. When designing a network to deal with branch offices a major consideration should be what level of separation is needed. Another way of looking at this issue is to consider that is what level of separation can be tolerated by applications.

These days most client <-> server / peer-to-peer applications are happy with a L3 separation (in different subnets) but there are still apps in use that expect the the peers to be in the same [multicast|subnet] broadcast domain or in some cases don't speak IP at all.

A L3 VPN or unencrypted tunnel (eg. GRE) between routers will administratively be the least amount of work and my advice would be to prefer this configuration if it meets your business requirements. However, it's important to consider what applications your network is required to support both now and in the immediate future. Sometimes a L2 VPN/tunnel will be needed. It's important to consider this issue early in the design process as it will have a major impact on equipment and/or software selection. Generally, L2 tunneling is not an option on older L3 equipment and often isn't available or current production low end models.

Joshua Hoblitt
  • 665
  • 4
  • 11
-3

Also depending on what type of resources you need to access.

If files sharing - for a small company I would use dropbox or it's commercial equivalent jungledisc

Another option is using a MS Sharepoint Server - gives you option for an easy multi-site file collaboration.

Adam
  • 421
  • 1
  • 4
  • 9
  • 1
    Suggesting the use of an external resource for file sharing without really knowing anything about the available bandwidth of the sites is a very poor idea. Equally, Sharepoint is a bad suggestion when you don't even know if this is a Windows network. I won't downvote you for this (although somebody has) but do suggest in future you only make suggestions that you know, or can at least reasonably assume, based on the question that was asked. – John Gardeniers May 07 '12 at 02:35