network design assistance

[novicebuilder]

Hi all,
I have a design that is working, but I need suggestions on improving the setup. here is the current layout:

I would like to have ER 1 be able to access/ configure all sites as I VPN in to it when I need to do something. I would also like for everything to use preferred WANs unless an outage occurs, then it would route to another WAN. I don't care about sites "talking" to each other. I can always add a firewall rule to block it if it becomes a problem. I prefer to sit at any location and manage all locations at any given time.
My current layout has routers in regular setup with a gateway and a LAN. I have ER1 connected to ER2, but no internet flow to/from either device (just LAN traffic to respective interface IP address). Should I be using OSPF/BGP?

 

[SamirD]

Okay, so a couple of questions. How are sites 1 and 2 connected? How do you want all the sites connected?

The failover for WANs would have to be set at the site level and depending on how the sites are connected, you may need to do additional configuration.

 

[novicebuilder]

1 and 2 are wireless bridges. Some are wireless bridges and some are fiber. I feel like I can do the configuration if I just have a bit of guidance on best setup.
I'm thinking I am over thinking it all. Maybe just a fail over config on 1, 3, and 4 and load balancing on 2.
With that I would wonder how I would manage the rest of the network from a site if all the connections to other sites are setup as WANs?

 

[SamirD]

So it sounds like you're just learning and labbing, correct?

 

[novicebuilder]

More like experimenting with some new ideas. Trying to improve a working system.

 

[SamirD]

So here's what I do for basically the same thing. I have 3 sites vs 4, but the concepts are the same.

I have ipsec tunnels between each site. So all the local devices as well as the routers themselves are manageable from anywhere. One of these sites has dual wans. I actually use each wan separately to connect to the other sites so that if one wan goes down, I can get in through the other. Pretty simple and it works without supernetting or any other concepts.

 

[robijito123]

Maybe think of something like a SD Wan, where each site can talk to each other to maybe simplify and auto route.

However Similar to the above idea of ipsec tunnels to and from each site to each other site, where in this theory for 4 sites you would need 6 ipsec tunnels with the ability to fail over wans for redundancy at each site. Example A to B, A to C, A to D, B to C, B to D, and C to D. If say you used PFsense you could configure for constant connection or on demand as well as rules to promote WAN in case of outage. The advantage here is you could decentralize say something like AD and have your PDC roll over to any active site and have the other sites still have full communication. Gets kind of tricky though with apps is you are hosting in site A without some kind of Vmware Vmotion replication going on in the back end. You could also have each site with a /24 subnet and would play nice with AD sites.

 

[SamirD]

Interesting. I may need to read up on SD-WANs. Any good online guides?