I have been tasked to redesign a small 4 location network. We are currently on MPLS and migrating to a Metro Ethernet solution for increased bandwidth. We will have one location as our data center which has a beefy internet connection to serve the other locations and contains our main ESXi servers + SAN. A second location acts as the Disaster recovery location where the backup ESXi servers etc are placed. There is an internet connection at this location that will serve as the backup -- in the event the main location internet goes down, all locations should get their internet from the DR location. I have Ubiquiti gear at all locations except one which has a Cisco 2901. We are considering adding locations in the near feature that also have Cisco 2901 -- I'd like to avoid replacing this with Ubiquiti gear until I have to (only because they have invested a lot in the Cisco equipment already).
Coming from a system admin background, I'm very far behind on my networking skills so I'm not entirely sure the best way to architect this new network. The Metro Ethernet solution is completely invisible to us at layer 3, we can use whatever VLANs QOS etc. We have 3 networks: untagged for data traffic (mostly due to the IP phones which boot to the untagged VLAN receive a DHCP packet to switch voice traffic to VLAN 4 and leaves the switch traffic connect to PC untagged, not ideal but it works well). Tagged VLAN 4 is voice traffic and tagged VLAN 9 is DMZ (for guest WiFi use). We have an Sophos ASTARO which is the main firewall at main location and Cisco ASA5505 to firewall the secondary/backup internet connection at DR site.
I created a basic diagram of how I plan to segment the network. The WAN links are in OSPF area 0, and each site has an OSPF area -- this part seems to work pretty well and everything can route to everything. I do need to block the DMZ VLAN from talking to everything on the voice and data VLAN except maybe the firewall to get out to the internet?
