network-infrastructure-diagrams

ISP Core Network Topology

Deployment: Regional Fiber ISP (2021-2022)
Location: Multi-site Telecommunications Infrastructure
Scale: 700+ concurrent subscribers
Performance: 99.8% uptime over operational period

Overview

This ISP core network was designed to handle high-capacity internet service delivery for 700+ residential and business subscribers across multiple regional sites. The infrastructure required robust load balancing, traffic shaping, and network redundancy to maintain service quality across a 10Gbps backbone.

Network Design

ISP Core Architecture

Internet (Upstream Providers)
├── 10Gbps Fiber Backbone
├── BGP Peering with multiple upstream providers
└── Redundant WAN connections

Core Layer (Server Room)
├── MikroTik CCR (Core Router)
│   ├── Load balancing across 10Gbps links
│   ├── BGP routing management
│   ├── Traffic shaping and QoS
│   └── Subscriber bandwidth management
├── Distribution Switches (10GbE uplinks)
└── Monitoring and management servers

Distribution Layer
├── Fiber distribution to neighborhoods
├── GPON for residential subscribers
└── Dedicated fiber for business clients

Equipment List

Core Infrastructure:

• MikroTik CCR series (core router) - 10Gbps capable
• 10GbE distribution switches
• GPON OLT equipment for subscriber distribution
• Redundant power supplies and UPS systems

Subscriber Access:

• GPON ONT units for residential
• Direct fiber connections for business clients
• Managed CPE for enterprise customers
• Backup: 50Mbps cable (automatic failover)

IP Addressing

VLAN	Network	Purpose	Gateway	DHCP Range
10	10.1.10.0/24	Technical Support	10.1.10.1	10.1.10.100-200
20	10.1.20.0/24	Customer Service	10.1.20.1	10.1.20.100-200
30	10.1.30.0/24	Management	10.1.30.1	10.1.30.100-150
40	10.1.40.0/24	Finance	10.1.40.1	10.1.40.100-120
50	10.1.50.0/24	VoIP	10.1.50.1	10.1.50.100-250
100	10.1.100.0/24	Servers/Management	10.1.100.1	Static only
200	10.1.200.0/24	Guest WiFi	10.1.200.1	10.1.200.10-250

Traffic Flow

Internet Access

1. Client → Floor switch → Core switch
2. Core switch → pfSense firewall (VLAN-aware)
3. pfSense → MikroTik router → Internet
4. Failover: If primary WAN down, MikroTik switches to backup within 5 seconds

Inter-VLAN Routing

• Handled by MikroTik CCR
• Firewall rules on pfSense control inter-VLAN traffic
• VoIP VLAN has priority QoS marking

VoIP Priority

• QoS enabled on all switches
• DSCP marking: EF (46) for voice
• Separate VLAN prevents broadcast storms affecting calls
• PoE powers IP phones directly

Security Implementation

Firewall Rules (pfSense)

Default Policy: Deny all, allow specific

Allowed Traffic:

• VLAN 10 (Tech) → All VLANs (support needs access)
• VLAN 20 (Customer Service) → VLAN 50 (VoIP)
• VLAN 30 (Management) → VLAN 100 (Servers)
• VLAN 40 (Finance) → VLAN 100 (File server only)
• All VLANs → Internet (with content filtering)
• Guest VLAN → Internet only (isolated from internal)

Blocked Traffic:

• Guest → Any internal VLAN
• Finance → Internet (except specific banking sites)
• All → Management VLAN (except Tech)

WiFi Security

• WPA3-Enterprise with RADIUS
• Per-VLAN SSIDs
• MAC address filtering on management SSID
• Guest WiFi: WPA2 with daily password rotation

Performance Tuning

QoS Configuration

Priority levels:

1. VoIP (VLAN 50) - 30% bandwidth guarantee
2. Management (VLAN 30) - 20% guarantee
3. Customer Service (VLAN 20) - 25% guarantee
4. Technical (VLAN 10) - 15% guarantee
5. Guest (VLAN 200) - Best effort (10% max)

Bandwidth Management

• Total: 100Mbps down / 50Mbps up
• Per-user limit: 10Mbps down / 5Mbps up (except management)
• Video conferencing: Prioritized, up to 20Mbps
• File downloads: Shaped to prevent saturation

Monitoring & Maintenance

What I Monitor

Real-time:

• Switch port status (SNMP)
• Bandwidth utilization per VLAN
• VoIP call quality (jitter, packet loss)
• Firewall connection count

Daily:

• Internet uptime
• DHCP lease usage
• Failed login attempts
• Backup completion

Weekly:

• Firmware updates check
• Configuration backups
• Log review for anomalies

Maintenance Schedule

• Daily: Check monitoring dashboard
• Weekly: Review logs, test failover
• Monthly: Firmware updates, clean switch fans
• Quarterly: Physical inspection, cable management

Lessons Learned

What Worked Well

1. Separate VoIP VLAN - No call quality issues even during heavy data transfer
2. Guest network isolation - Prevented several potential security issues
3. Dual WAN - Saved us 3 times when primary fiber had issues
4. Management VLAN - Could access switches even when other VLANs had issues

What I’d Do Differently

1. Better cable labeling - Spent hours tracing cables during troubleshooting
2. Redundant core switch - Single point of failure I didn’t catch in design
3. Larger IP ranges - VLAN 40 almost ran out of IPs during expansion
4. More AP capacity - Had to add 2 more APs when user density increased

Common Issues & Fixes

Issue: VoIP calls dropping randomly
Cause: Switch spanning tree causing brief network loops
Fix: Enabled RSTP, configured edge ports properly

Issue: Slow internet for all users
Cause: One user downloading large files saturating link
Fix: Implemented per-user bandwidth limits

Issue: Guest WiFi not working
Cause: Firewall blocking DNS requests
Fix: Added DNS allow rule for guest VLAN

Configuration Files

See configs/enterprise-office/ for:

• MikroTik router configuration (.rsc)
• pfSense firewall rules (XML)
• Switch VLAN configurations
• UniFi WiFi settings (JSON)

Diagram Files

• topology.drawio - Editable source (open in diagrams.net)
• topology.svg - Web-friendly vector graphic
• topology.png - High-resolution diagram for documentation

---

*Deployed: June 2021

Last updated: January 2026*

This site is open source. Improve this page.