First let me give an overview of my current design and my intentions, so I can be corrected if there's an easier way:
I currently have a LAN with all of the machines connected via 3 switches (Olicom 8720 layer 3, Catalyst 2924, and Catalyst 3548). The Olicom is the first switch in line, and the two Cisco's are connected beneath it. I have roughly 40 machines connected to the 3 switches combined, all sharing the same subnet (10.0.0.128/25 with gateway 10.0.0.129). What I'm hoping to do is break the network up into multiple smaller subnets so that I can put a Linux machine between the Olicom and the rest of the switches to act as a passive bridge firewall (for the purpose of throttling/examining traffic). I've been told that breaking the network up into VLAN's, and using the Olicom switch as a router will solve my problem.
First, I planned out my subnets:
VLAN1 - 10.0.0.240/28 [10.0.0.240 -> 10.0.0.255]
gateway: 10.0.0.241 broadcast: 10.0.0.255
VLAN2 - 10.0.0.192/27 [10.0.0.192 -> 10.0.0.223]
gateway: 10.0.0.193 broadcast: 10.0.0.223
VLAN3 - 10.0.0.224/28 [10.0.0.224 -> 10.0.0.239]
gateway: 10.0.0.225 broadcast: 10.0.0.239
VLAN4 - 10.0.0.128/26 [10.0.0.128 -> 10.0.0.191]
gateway: 10.0.0.129 broadcast: 10.0.0.191
Next, a few of the existing servers need IP changes because they fall on subnet boundaries (network, gateway, or broadcast IP's), so I'll be sure to clear all of those up. I also know that I'll need to define specifically what ports on each switch will belong to what VLAN, and I'll need to update the subnet masks currently defined on the servers to match their appropriate VLAN's (right now they're all 255.255.255.128). In addition, I need to turn the switch ports that connect each switch into trunk ports, so they will carry all VLAN traffic. Once I have the network split into VLAN's and things are running properly then I'm planning on introducing the passive bridge firewall via a Linux box with dual ethernet interfaces.
The setup I'm hoping to use is: Olicom -> Linux firewall -> Catalyst 2924 -> Catalyst 3548
I'm aware that with that setup there will be no redundancy in my topography - if the Linux machine or the 2924 goes out, the 3548 will go with it, however, I don't think it would work any other way. If I hooked both Catalyst's up directly to the Olicom then I would only be able to put the firewall in between one of them, and I could only monitor that portion of the traffic.
So here's my question - are there any inherent design flaws with the plan laid out above? I've done lots of reading and self-learning on Cisco's IOS, switching capabilities, subnets, etc, so I think I have a good idea of how things work - but I have 0 experience actually implementing those technologies. Is there an easier way? Is there some way to achieve a redundant topography while still preserving the ability to monitor 100% of VLAN traffic? What type of configuration will I need to do on the Linux machine in order to handle the VLAN traffic? I anticipate using the iproute2 utilities to setup the bridge, and configure my traffic shaping, but is there something special that needs to be done since the machine will be connected via trunk ports? Also, what would be the best method for deploying these changes in a production environment? Should I setup the VLAN's on the switches first, or should I change the machines subnet masks first? Will either method allow them to continue serving internet traffic during the migration? Thanks in advance!