Hey everyone,
I wanted to discuss the options I have with using RB hardware to replace an ageing ISA server. As I’m primarily a sysadmin & not a networkadmin, feel free to punch holes in any of my assumptions or comment on optimal implementation or optimization.
Right now, I’m investigating the RB1100AH (or x2) that’s set to be released, primarily for the advantages given by hardware acceleration for VPN use.
Features that will be used:
- Firewall
- DHCP
- DNS
- VPN (RB to remote client PCs)
- Proxy*
Features required but not used from the start:
- IPv6 ready*
- Bandwidth manager / QoS*
Network layout:
Internet connectivity:
Internet connectivity is provided by cable/fiber modem, IP is received from ISP’s DHCP (although contractually fixed IP, it is still pushed through DHCP). Only one connection is currently present, but the option to add a backup connection is required.
Internal networks:
- VLAN 1: Office/Local Network. RB must provide DHCP within predefined range.
- VLAN 2: QA Network (mimics datacenter environment for QA purposes, including IPs). IPs are fixed for all servers, no DHCP required.
- VLAN 3: Demo/Meeting Room Network. RB must provide DHCP.
Connectivity of VLANs:
- VLAN 1 must be able to connect to the internet as well as be routed to VLAN2 (and receive replies from QA servers).
- VLAN 2 must be able to connect to the internet for all except SMTP & POP3 (blocked). Must reply to VLAN 1 when receiving traffic, but it is not necessary for QA servers to initiate connections to VLAN 1.
- VLAN 3 must be able to connect to the internet and nothing else. It is basically a DMZ with DHCP enabled if you will.
- None of the VLANs need to be able to accept externally (internet) initiated connections.
VPN connectivity:
VPN connectivity simply means external computers safely connecting to our network(s). There are no plans to use a network to network type of VPN, only client to office VPN. There are a few different profiles:
- Full access: Access to all networks (though only VLAN 1 & VLAN 2 required). Likely only used by myself and my backup.
- Codemonkey access: Access to VLAN 1 (domain, document storage,…) and VLAN 2 (QA web, QA SQL, SVN,…).
- Employee access: Access to VLAN 1 (domain, document storage, CRM,…) and limited VLAN 2 (QA web servers only).
- Restricted external sales access: Access to limited parts of VLAN 1 (CRM app, document storage,…).
- Restricted QA testing access: Access to limited parts of VLAN 2 (QA web servers only).
- Restricted external development access: Access to VLAN 2 (QA web, QA SQL, SVN,…).
(if access to multiple VLANs at once through VPN is troublesome or impossible, this can be implemented differently on network level)
I’m guessing up to here, nothing shocking and nothing impossible.
But now comes the next issue: redundancy/failoverability. I don’t actually need something that will automatically take over if the primary RB fails. However, I do need to have something in stock that can be pulled out of the closet, plugged in and we’re back up again if the primary RB fails.
I guess the easiest choice would be to have a primary RB1100AH backed up by a RB1100 in the closet (preconfigured). The configuration would be easy since it would be identical save for the hardware assisted encryption and higher memory (?). Simply dump the config of one and restore it on the other should work. However this solution is somewhat on the edge of the kind of budget we originally had in mind for this (slightly over-budget, actually).
Are there other match-ups that could still be easy to roll out in case of failure? I can imagine that a RB1100AHx2 as a primary and a 493G or 450G as an temporary catastrophic failure fix would be a better use of the budget. But I can imagine the configuration from the 1100 series cannot simply be restored on a 750G/RB493AH… How hard would it be to keep an 493G/450G ready in case of failure with a parallel configuration? And can a 493G/450G do everything we want it to (with a significant hit to VPN speed & throughput, obviously)?
(The features listed above with a * are not actually required in case of failure)
Thanks for the feedback!
PS: Where do you suggest we buy these? There is no belgian distributor it seems.