Network design help needed (main office + branch offices + central server)

I have a head office and a number of suboffices. Both head office and suboffices need to access some corporate server, which is physically in the head office. But suboffices should not be able to access head office or each other. Suboffices are at the substantial distance of each other and from the head office (many kms).

Network structure

How do I design the network for this task?

I suppose, each suboffice should have internet access. Central Server LAN switch should have static IP and OpenVPN software installed. For example, SubOffice1 network is 10.0.1.x, SubOffice2 10.0.2.x etc, Head office 10.254.x.x, Central Server LAN 192.168.0.x.

When suboffice PC or head office PC needs to access Central Server, a PC starts VPN connection for this to the central server.

I should then use routers for each network and setup firewall so that it permits connections from inside network only except for the Central Server LAN router.

Is this correct? May be there are some important details I should keep in mind building this network? What hardware would you recommend for this (routers, supporting needed firewalling modes etc)?

ADDED 07/05/2012:

Our ISP can provide nothing except for Internet access. I cannot expect them to support anything like MPLS. ISPs are different in each suboffice and head office.

The number of suboffices are like 20.

Connections from suboffices into the head office needs to be encrypted because it will be routed through internet.

I want suboffices to be isolated from head office and from each other completely so that no packet can travel there and back.

I plan to have only Linux PCs in the offices, but there can be also some Windows machines. No Active Directory or something. Just a PC under Windows/Linux.

Any good books out there on the subject?


Solution 1:

Matt Simmons wrote a series of excellent articles for simple-talk that you may find instructive;

  1. Networking The Crib Sheet
  2. Physical Network Layout for the Reluctant
  3. Logical Network Layout for Small Networks

But first a few points on your design:

  1. Suboffice = "branch office" you can google for "branch office network design" to get a good idea of what's available and what's generally deployed in these situations.
  2. Don't confuse your IP space, it's okay to use a 10.n.n.n network across all of your LAN. Use subnets and VLANs to separate your broadcast domains. The use of a 192.168.n.n in your server LAN adds needless complexity (to an arbitrary decision).
  3. Don't make each client responsible for establishing VPN connections, this will lead to as many headaches as there are clients. Establish the VPN at the router (or another dedicated VPN device).
  4. Contact your ISP/Carrier to see what type of equipment they offer for your type of service. This may effect your decisions for deployment.
  5. Specific hardware ... look to the cisco ASA series they offer firewall, VPN, and routing all in a small package.

Good luck!


Update

You asked for a few books to get started with, I can offer you a few that deal directly with your problem here, and there are a few excellent books recommended elsewhere on serverfault that will help you in other ways as you need them.

More specifically I would recommend starting with the CISCO CCNA series of books. It seems like you've already been thrown into the deep end of the pool with such a large deployment. The Cisco Press CCNA ICND1 will address many of the fundamental topics you need to learn. You can also try the COMPTIA Network+ book as well. I have never read it but it will offer a few new perspectives not offered in the CCNA.

Pay particular attention to the OSI Model, especially the differences between Layers 1, 2, and 3.

Beyond that, I would begin to look for "white papers" and "best practices" for branch office deployments (there are a few you will see in the google search I posted previously). Sysadmin only really learn something by doing it, think of this as applied engineering. There are often equal measures of analytic thought and by the seat of your pants action.

Since you have 20 or more offices you will want to be able to centrally manage all of your services. You can start by calling around to different vendors and ask them for a solution (don't commit to anything on the phone! You can almost always ask for a better price, or extra equipment, or extra support, you are only buying 20 devices, but that's probably more than most). Also, don't believe 90% of what the vendor sales representative tells you, come back here and ask another question about the specific deployments you had in mind.

Once again, Good luck!

Solution 2:

I really suggest going over this again. Switches are Layer 2 devices, and do not usually deal with IPs and especially not VPNs.

The best solution would be to have VPN enabled routers in each office, and then set up site-to-site vpn to the central office, and set up routing correctly. You can do this even with OpenVPN and PCs with multiple network cards if you have small networks.

Subnet numbering is not important, just don't overlap the networks. You will also need subnets for router-router connections (/30 is good enough), unless you use L2 vpn and bridge the routers to your central internal network.

For two offices, routing can be done manually.