Vlans and Inter Vlan Routing

Hi
Ok so heres my setup, i have a small network of aound 70 pcs and 6 servers, some network printers and a sonicwall firewall that acts as my gateway for internet access and site to site vpn's for users.

Now i have a dept that i would like to segregate from the lan. I still want this segment to access my servers and use the sonicwall for internet and vpn traffic.

I have thought of using a vlan to do this so im my simple view all i need to do is
1) create a vlan on my cisco switch
2) assign all the devices i want t segregate to ports in that vlan
3) buy a cisco router and configure inter vlan routing so the vlan can talk to my own lan

Now this is were i have the problem:
1) obviously my two networks are now on different subnets how does the new vlan access the internet
2) how will the vlan subnet get access to vpn tunnels like they do now on the main LAN
3) how will the new vlan get ip address from my windows DHCP server as they do currently under single LAN
4) i have everything on a gig network if i add a 100MB connection router into the mix for van routing will the slow the network communication down any
5)
kingcastleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KevinCovertCommented:
you will not need to buy a second router if your sonicwall firewall is capable of VLANs/subinterfaces.  What model is your sonicwall?

The second network will route through the Sonicwall to the internet just as it does now except from a different network.

you will have to allow access from your VPN zone to the desired subnets/vlans (you will add the new subnet/vlan to the address object group)

The only thing I dont do with this scenario is route DHCP requests, but I believe all you will have to do is either create a DHCP scope for the second LAN on the sonicwall device, or create another scope on your server and allow DHCP requests/traffic between the server on LANA and all hosts on LANB.

you won't need to add a 100mb router, so dont sweat that.  Even if you did, I have over 800 hosts and still only hover around 25Mb direct to my firewall, I don't have any client/server connection that uses more than 100Mb even though its available.  Now server/server is another story.

Hope that helps.

KMC
0
KevinCovertCommented:
How the second lan will get its internet is by using the subinterface created on the sonicwall (assuming its able) for example

Subinterface A IP 192.x.2.1 mask 255.255.255.0
Subinterface B IP 192.x.3.1 mask 255.255.255.0

host on sub interface A IP 192.x.2.x mask 255.255.255.0 default gateway 192.x.2.1
host on sub interface B IP 192.x.3.x mask 255.255.255.0 default gateway 192.x.3.1

With this setup the two LAN's are segmented and you can control the traffic between the two with the zones/firewall of the sonicwall.

Hope that helps
0
kingcastleAuthor Commented:
ah i see excellent answer, so to clarify

i fancied using a ciso 2600 router for this vlan routing just wanted to keep all the switches/vlans on cisco kit will this cause me any problems?

so i wont have to change anything on my main lan ip wise? i mean i can leave those users happily working away its just the vlan users who ip's will change?

if this is the case and currently my sonicwall pro2040 is the internet gateway for all devices when the vlan ip range changes and i point vlan users to new ip and defualt gateway that was created on subinterface on cisco router how does these pc get to internet/vpn?

if i use the cisco do i need to configure rip routing on the router or does simply creating the subinterfaces enough?


cheers
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

KevinCovertCommented:
I think I am a little confused on your network design.

My thought it was:


INTERNET  <--------------> PUBLIC IP [Sonicwall] LAN IP <----------- > Hosts

Please clarify so I don't give a more confusing network layout.

Thanks!
0
KevinCovertCommented:
Assuming that your Cisco is not purchased/in production:

That is correct, the hosts that are currently in the default VLAN (VLAN1) will remain as they are and will require no changes.

So for this example, lets say that your existing LAN (VLAN1) has the subnet 192.168.1.0/24 (255.255.255.0) with a gateway of 192.168.1.1

So on your sonicwall Pro 2040,
1. Create a zone and call it "Dept 'X'" ('X' will be the dept segmented)
2. Create a sub interface attach it to interface X0 192.168.2.1(assuming your existing LAN is on X0 which it is by default).
3. Adjust the firewall settings to block/allow traffic desired to from LAN <> DEPT X and DEPT X <> WAN and DEPT X <> VPN
4. Configure all switches needed to allow the VLAN to propogate to the ports needed for hosts in dept 'X'
5. Test.

Chose a private IP range that is unlikely to cause you grief with site to site VLANs with another site using the same subnet, so I typically stay away from the 192.x.x.x.  But for this example lets just use 192.168.2.1 for the sub interface (VLAN20).  You will then have to create VLAN 20 on all your switches that you want the 192.168.2.x (VLAN20) to transverse.  

This scenario will only work if all of your switches are managed switches that support VLAN trunking.

All the hosts in VLAN20 (192.168.2.x subnet) will use 192.168.2.1 as their gateway.

Hope this is helpful.

I had a pair of PRO 2040's and the only reason we upgraded was the limit of site to site VPN's and subinterfaces

If you ever need a spare I've got a couple I'd sell you.

KMC
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kingcastleAuthor Commented:
ok brillaint answer, and to clarify network is as follows.

internet ------public ip sonicwall --- lan hosts

now what i want is

intenet----pubic ip sonicwall ------ existing lan no changes
                                                       new vlan
interconnected via the purchased cisco 2600 router. My understaning is that the newly created vlan pc's will have to use the subinterface of the 2600 as their default  gateway. where does that leave me in terms of getting that vlan internet access/vpn access? i mean do i still need the subinterface on the sonicwall and then somehow route traffic for the web/vpn from the 2600 to the sonicwall?

also if you would stay away from the 192 range what would you suggest?

cheers
0
KevinCovertCommented:
I like to use the 172.x.x.x range or the 10.x.x.x range, you can use the 192.168.x.x if you like but I would stay away from 192.168.1.x - 192.168.20.x

Here are the private addresses available to use.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

In my suggested scenario, you will not need a Cisco router, the SonicWall will do all your routing for you.  What you will need is a switch environment that supports VLANS.  Adding a Cisco router would only make your environment more (and unnecessarily) complex.

What brand/model switches do you have?

KMC
0
kingcastleAuthor Commented:
we have all cisco switches and already got the router to do this job so the boss wants it in the loop.

any ideas?

cheers
0
KevinCovertCommented:
What is it that your boss is looking to get out of the Cisco router?  You have the hardware you need to get the job done.  All of your Cisco switches can support the VLANs that you want, be sure to bone up on VTP and get that setup to make easy work of VLANs.

http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml

If your boss wants the router in the mix, I would power it up and let him look at the lights on it... honestly your environment doesn't need it.

If I were going to add any complexity, I would get a core Cisco switch and do your routing there, but that is only one thing I would do if I were going to be a 1000 plus node environment.

Sorry your getting pushback from the higher ups...

Good luck.

KMC
0
KevinCovertCommented:
If your boss really wants a Cisco router in place, I would recommend replacing your Pro2040 with an ASA 5510 or ASA 5520...
0
kingcastleAuthor Commented:
do you use the 172.x.x with the default subnet ie 255.255.0.0?

0
kingcastleAuthor Commented:
i think boss just wants the cisco doing the vlan routing and the sonicwall doing the internet/vpn's
0
KevinCovertCommented:
You can use your Cisco router as the internal router but it is WAY over kill.

I'm affraid that I don't know the correct commands to create the interfaces and VLANs on the Cisco router.

Do you have a 3750 or a core switch?

If you have a layer 3 switch that could do your routing if your boss doesn't want the SonicWall doing the routing.

Just curious, does your boss have any LAN/WAN experience?

KMC
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Operations

From novice to tech pro — start learning today.