Over the last 5 years my company has expanded about 50% and we are now just about out of IP addresses. We have four buildings (one main and one branch) between two cities, each city have a single subnet with a Cisco 1310 bridge between each building. The main building in each city is connected to each other using a single T1 with AdTran routers. Each city has Active Directory, file server (some DFS Shares), and it's own internet access. We have IP phones on the network and are simply using DSCP for QoS and it's been working fine. We have voice rules setup on the AdTran's based on DSCP and the ports the phone systems in each location use for communication. We also have two VLANs, one for our "secure" network (which has servers, users, phones, everything) and the other a "unsecure" network for customers that connects to the DMZ port of our proxy server for internet access. It looks something like this currently (not showing the branch offices in each city as they have the same subnets as respective city):
ISP 1 ISP 2
| 192.168.254.0/30 |
Layer-2 Switch 1 -- 3205 ---------- 3205 -- Layer-2 Switch 2
| | .1 .2 | |
| | | |
VLAN 10 VLAN 20 VLAN 10 VLAN 20
10.0.0.0/24 192.168.0.0/24 10.0.1.0/24 192.168.1.0/24
City A Main Building City B Main Building
So the VLAN traffic DOESN'T currently route across the AdTrans (10.0.* routes across, 192.168.* stays on it's respective sides) and the AdTrans doesn't forward the VLAN info. I have recently purchased two Cisco 1921's to replace my aging AdTrans and I also purchased new Dell Layer 3 switches as my core switches in each main office as I'm almost out of ports. I am now to the point where I have to expand and also plan for another branch office. I believe I have two options:
1) Split each office into it's own subnet using the Dell layer 3 switch as my router which will buy me some time (as I could just switch to a /23 or /22 for expansion in each office if needed). I would keep with the DSCP QoS tagging. One problem with this is I do want all users to be in the same broadcast domain because of some software we use "city wide" and also I know we will run out of IP addresses in the main locations and have to switch to a /23 which I'd like to avoid if possible.
2) Create 4 VLAN's (users, servers/infrastructure, phones, and DMZ/unsecure) using one subnet for each in each city. The DMZ/unsecure like currently would not go across the T1 like. I could do QoS per VLAN (and leave the DSCP QoS on also), would only need one DHCP scope (for users), each "city" would remain it's own broadcast domain, and it would make it easier to segment in the future or say expand just the users scope. Problem with this is it will be harder to manage, tagging all the different ports on the switches and making sure the VLAN's are setup to go over the wireless bridges and the cisco routers.
Is one of these the "preferred" method? Is there a better way to do what I want?
Choose 2, i think is better way for your design...only need layer 3 hardware on each city.
I've been trying to program this but I'm having issues understanding some of it. Is there a good site or primer on making this type of setup work on the internet somewhere? It doens't seem overly complicated but in practice it's becoming a PITA.
I think we are just going to go with a /23 subnet putting all servers, phones, and infrastructure on 0.* and all users on 1.*. We don't ned the "security" of VLAN's and all our VoIP rules are working fine with DSCP tagging on the phones and switches. It would be nice to go to this type of structure but honestly it's a bit overly complicated for a company of 170 people.