Convert from extending L2 (VLANS) to L3 routing

KoolM1

I have included a diagram that I quickly put together, https://i.imgur.com/275InwS.jpg

This is the current scenario, I'm extending L2 networks (which reside on the sonicwall) to each building (via fiber) into 48 port edgemax switches. There are about 7 buildings total, they are configured the same as building 1,2,3 in the drawing. All buildings share the same VLANs. Each VLAN does something specific (I have more than 4, but for saving space I only used 4).

For example:

VLAN 1- LAN

VLAN 2- WLAN

VLAN 3- Guest WLAN

VLAN 4- IP Cam Network

VLAN 5- VOIP Network

VLAN 6- Printer Network

My IP Camera Network is 192.168.4.0 /24 which means any IP Camera related component located in any building is assigned a 192.168.4.0 address from the DHCP Serve (Sonicwall). Same concept for LAN, WLAN, IP Phones, etc....

There is some redundancy in the network, I actually have two sonicwalls, configured in HA and two edgemax 16 port fiber switches in the main office, but I only included one of each in my drawing. Instead of two fiber cables going from each building to the edgemax 16 port (in my drawing), one fiber cable goes to one edgemax 16 port fiber switch and the second fiber cable goes to the second edgemax 16 port fiber switch.

Each building, however, only has a single network switch. That works for me (in this scenario) since the devices connecting to the switch only have one NIC.

Regardless, this question is more about routing.

I'm not looking to make any changes at this time, I'm trying to figure out the best way to set this up in a new environment (new property, new site, etc...) or if a rebuild were to happen, down the road, what could I do different.

Here is where I struggle....the design. I'm not sure what the best way to design this would be.

Do I start by going to the sonicwall, building a pt to pt network (/30) from the sonicwall to the first 16 port edgemax switch? Then building a second /30 from the sonicwall to the second 16 port edgemax switch?

From there, I'm not sure how each building talks back to their respective edgemax switches. I'm picturing everything having it own network and the routing protocol takes care of best path (if a link were to go down, etc).

At this point, this is more for learning, I'm not looking for configuration for each component. We do use a VAR and I'm not the only one on the networking team, but the others on my networking team don't want to discuss these types of things. They are either glorified help desk techs or 'older' and are set with how things are and even though I/we are not looking to change things, they don't want to waste time talking about it. With that mindset, I can't get anywhere with my internal resources. I'm sure the VAR would help even though it isn't cisco gear, but they'd also bill for their time, which is understandable, but not something I could approve.

Thanks in advance.

KoolM1

@koolm1 said in Convert from extending L2 (VLANS) to L3 routing:

I have included a diagram that I quickly put together, https://i.imgur.com/275InwS.jpg

This is the current scenario, I'm extending L2 networks (which reside on the sonicwall) to each building (via fiber) into 48 port edgemax switches. There are about 7 buildings total, they are configured the same as building 1,2,3 in the drawing. All buildings share the same VLANs. Each VLAN does something specific (I have more than 4, but for saving space I only used 4).

For example:

VLAN 1- LAN

VLAN 2- WLAN

VLAN 3- Guest WLAN

VLAN 4- IP Cam Network

VLAN 5- VOIP Network

VLAN 6- Printer Network

My IP Camera Network is 192.168.4.0 /24 which means any IP Camera related component located in any building is assigned a 192.168.4.0 address from the DHCP Serve (Sonicwall). Same concept for LAN, WLAN, IP Phones, etc....

There is some redundancy in the network, I actually have two sonicwalls, configured in HA and two edgemax 16 port fiber switches in the main office, but I only included one of each in my drawing. Instead of two fiber cables going from each building to the edgemax 16 port (in my drawing), one fiber cable goes to one edgemax 16 port fiber switch and the second fiber cable goes to the second edgemax 16 port fiber switch.

Each building, however, only has a single network switch. That works for me (in this scenario) since the devices connecting to the switch only have one NIC.

Regardless, this question is more about routing.

I'm not looking to make any changes at this time, I'm trying to figure out the best way to set this up in a new environment (new property, new site, etc...) or if a rebuild were to happen, down the road, what could I do different.

Here is where I struggle....the design. I'm not sure what the best way to design this would be.

Do I start by going to the sonicwall, building a pt to pt network (/30) from the sonicwall to the first 16 port edgemax switch? Then building a second /30 from the sonicwall to the second 16 port edgemax switch https://showbox.bio/ https://tutuapp.uno/ ?

From there, I'm not sure how each building talks back to their respective edgemax switches. I'm picturing everything having it own network and the routing protocol takes care of best path (if a link were to go down, etc).

At this point, this is more for learning, I'm not looking for configuration for each component. We do use a VAR and I'm not the only one on the networking team, but the others on my networking team don't want to discuss these types of things. They are either glorified help desk techs or 'older' and are set with how things are and even though I/we are not looking to change things, they don't want to waste time talking about it. With that mindset, I can't get anywhere with my internal resources. I'm sure the VAR would help even though it isn't cisco gear, but they'd also bill for their time, which is understandable, but not something I could approve.

Thanks in advance.

I got this,...

JKnott

@koolm1 said in Convert from extending L2 (VLANS) to L3 routing:

VLAN 6- Printer Network

Why do you have that? It will make using the printers more difficult. Also, is there any need to have the main WiFi on a separate VLAN. Also, the base LAN is not a VLAN.

marvosa

While it all works as is, the only thing I'm not fond of is all inter-VLAN traffic has to traverse the SonicWall. You will get better performance by creating your VLANs on the EdgeMax 16 and turning it into a distribution stack.

Also, any issue you have affects that VLAN in every building... it'd be a nightmare trying to track issues down. Best practice is to have different vlans in every closet in every building, but that's a complete re-design.

Do I start by going to the sonicwall, building a pt to pt network (/30) from the sonicwall to the first 16 port edgemax switch? Then building a second /30 from the sonicwall to the second 16 port edgemax switch?

I'm not sure of the functionality of the EdgeMax line, but I tend to lean towards performance, so here's what I'd do if you weren't going to add routers into the mix.... Layout unique VLANs and subnets for each site. Then replace the trunk from the sonicwall to the edgemax 16 with a /30 routed link. Then stack your EdgeMax 16's and turn them into a distribution stack running OSPF. If OSPF doesn't exist on the EdgeMax 16, then replace them with something that does. The connections between buildings would be a port channel (LACP) configured as a trunk allowing only the VLANs assigned to each building over the trunk.

Why do you have that? It will make using the printers more difficult. Also, is there any need to have the main WiFi on a separate VLAN. Also, the base LAN is not a VLAN.

@JKnott Not really, everything is direct IP anyway. At my last company, they carved out a /21 for each site. Within that /21, multiple /24's were assigned to a standand set of VLAN's much like the OP laid out. So, from an auditing and troubleshooting standpoint, it was usually helpful that printers were always in a particular range.

Also, is there any need to have the main WiFi on a separate VLAN

This is basically standard these days. Everyone wants their production traffic isolated from guests, etc. At work, we typically deploy 3-5 SSID's at each site... all assigned to different VLANs.

JKnott

@marvosa said in Convert from extending L2 (VLANS) to L3 routing:

was usually helpful that printers were always in a particular range.

The issue with printers on a different subnet is browsing no longer works. You have do specifically configure each printer, rather than just selecting one from one that's available.