The company I work for has 2 physically separate domains. this includes IT teams, Server farms and networking infrastructure.
. The long term plan is to rationalise and have 1 physical network. They are building a new site that is going to house services for both networks and I need to design something that will allow connectivity to both domains but not allow either domain to communicate except through our existing firewall arrangements. I will be installing dual 1Gb links into the building for resilience.
One domain has a lot of public access and is untrusted the second domain is corporate and needs to be secure.
I had originally thought about installing firewalls in all the buildings and running VPN's between them for the public access network. but the throughput would be limited.
I am considering VRF lite but don't know enough to make a decision. My understanding is the switch/router becomes virtual with a separate routing table for each network. IF this is correct and there are no routes between the networks except via the firewalls and I can run 2 ospf instances and both networks can utilise the reslient links this may well be the best way forward..
Can anyone with a bit more experience let me know if there is any reason for this not to work or what I should watch out for.
VRF lite is a way to go. You can create two logically independent networks on a common HW infrastructure. You can have different routing procols (be it OSPF for both), routing and security policies etc. You can even use the same IP addressing in both VRFs (should there be the need; I'm not saying you should).
You can use the existing firewall to allow/deny traffic between the VRFs according to your needs.
Create a vrf on your cores for each group of network, put all the vlans into one or the other vrfs
vlan 3,4,5 in vrf-secure vlan 6,7,8 in vrf-public
Create an egress or route peering vlan on each vrf a /27 or /28 would do
put a srx or other firewall in and route/firewall all day long.
Put one etherchannel cable to each of your cores put the sub interfaces that correspond to your different egress/routing vlans into different zones and even virtual routers if you want to keep the routing tables isolated. And BAM you are done, easy to manage and scales like a boss.
Viewing 1 - 3 of 3