I'm having difficulties trying to determine what the ideal logical network segmentation of our campus should be. I'd like any advice on what we should aim for.
Our campus is composed of 15 buildings. For the purposes of this question, each building has a Layer 2 10/100 Cisco Network Switch (this will be the case soon, but right now some places still have hubs). Each switch is connected by fiber to a central Layer 2 10/100 Cisco Switch in a central building.
All of our servers (file, mail, web, domain, etc) are also in one location, and they are connected to a switch which then is connected by fiber to the central switch.
The central switch is then connected to our firewall, which is a SonicWall Pro 3060. The firewall provides content filtering, gateway antivirus and anti-spyware, and other protection and is connected to our T1 line.
Though our network is physically separate and the switches provide for segmentation of collision domains at a Layer 2 level, the network is logically one big IP range. Every device is in the same broadcast domain. However, there are at most 250 devices on the network.
Recently, we thought that it may be beneficial to try to segment the network logically so that there would not be one large IP broadcast domain. The way we choose to do this was by using the firewall.
Our Sonicwall Pro 3060 has 4 additional interfaces in addition to the primary LAN and primary WAN ports. We configured it so that each of those 4 interfaces were connected to a section of the network. Each section had 50 - 100 computers in it. We left the servers on the "Primary LAN" interface which made for a total of 5 segments. Each segment had its own IP range and DHCP is provided by the firewall.
However, it seems that this reconfiguration may not have been a good change. I've learned that by segmenting the network in this fashion it just makes for more work for the computers because they now have to pass through the firewall every time they want to reach any of the servers, which was not the case before when they were all on one flat network connected by a central switch.
I've thought that perhaps what I may need to do is obtain a Layer 3 switch and use that to segment the network instead of the firewall, but perhaps the network does not need IP segmentation. With so few devices, perhaps a single broadcast domain is not an issue.
I'd really like some insight from someone who is more of an expert at this than I am. Any help would be appreciated, and if this doesn't make sense, I can certainly provide more information.
Start Free Trial
