VLAN's - split Head Office based on departments/floors in building

andoss
andoss used Ask the Experts™
on
My company is currently working on splitting our Head Office network into separate VLan's based on floors in the building. There are a number of reasons behind the need to do this, ie. reduce broadcast traffic on the LAN, allow proper failover on our core switches, tighten security by reducing network access. There are networking guys involved in this so I'm not expecting a full networking plan or anything on how to do it.

I just have afew questions regarding how this change will effect our setup.

1. DHCP - we currently have one DHCP range giving out IP's to the entire subnet (255.255.255.0), with the new VLAN's we will need 4 DHCP ranges (one per VLAN) and users will receive IP's based on which router (depending on level) they connect through..
I figure i can just created the 4 different ranges and users will receive the IP to suit the router they connected on(floor).
Any holes in my understanding here or that sounds correct?

2. Reserved IP's - only one VLAN/floor will have a Dynamic range all other machines will have reserved addresses. So if a user from Level 2 plugs their laptop into Level 3 (no dynamic range) they won't receive an IP as they aren't assigned a reserved IP address from that range/VLAN.
Again is my thinking here correct?
If so is there a way around this? We would like a user to be able to move around the building and still access their normal resources (as they currently can) yet we need the VLAN's implemented.

Complicated questions but I'm just looking for some suggestions/comments as we are getting contractors in to help out, i just want to be prepared abit beforehand. We use AD DHCP and currently have just the one range assigning reserved and dynamic IP's to anyone no matter their location in the building.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
hiya,

i think no. 1 seems alright enough, but no.2 seems a bit...

for no. 2, are you hoping to prevent people from one floor connecting to the network on other floors, if not, then when a person from one floor connects on another floor, an ip from the ip range for that floor is issues. this is useful in situations where this person might want to print documents and would be able to see printers and other resources on the floor.

reserving ip's would mean screening ip requests based on mac address of machines, to me this would be un necessary unless for some serious security reason you wish it so.

Commented:
hiya,

i think no. 1 seems alright enough, but no.2 seems a bit...

for no. 2, are you hoping to prevent people from one floor connecting to the network on other floors, if not, then when a person from one floor connects on another floor, an ip from the ip range for that floor is issues. this is useful in situations where this person might want to print documents and would be able to see printers and other resources on the floor.

reserving ip's would mean screening ip requests based on mac address of machines, to me this would be un necessary unless for some serious security reason you wish it so.

Author

Commented:
Yeah we use reserved addresses so we can provide firewall access to servers etc for specific staff or departments.
By using different VLAN's we can set firewall rules for the entire department instead of individual IP's. It also means we can lockdown access more aswell as we can deny a certain VLAN from accessing certain services.

So for #2 what we want is for a user to be able to move to different meeting rooms etc throughout the building and yet still have the same network access they would on their normal floor. I just don't know how this could be possible though as the DHCP assignment is going to be based on the router they connected through?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
what you are trying to achieve is quite easy, with the use of logon scripts attached to user profiles, they will have access to the same resources iffespective of what vlan they are on.

it doesnt matter what the ip address of the machine is, or what vlan. as long as they all are managed by the same domain controller or are within the same domain.

a domain could have different vlans or ip ranges.

the user would have to authenticate against your AD and then have all network storage or resources mapped through logon scripts to their profile.

this is a scenario from a live work environment.

Author

Commented:
No sorry i don't think i mentioned that most of the access is reliant on the user having the correct IP as we open it on the firewall. So obviously if they move to a different level they'll be in a different VLAN and won't have the correct firewall rules.

So basic services like file services/AD and print will be fine for everyone as we don't lock this down.
But different departments have different access to various servers whether it's RDP access to a server or an application specific to them. I can't think of a way for them to be able to move to a different level and still retain access.

Commented:
ok this complicates things even more.

if a user takes his laptop to another vlan and gets an ip, he has access to regular services right? (files, print, etc) but because certain ports are vlan specific, he might not be able to run certain apps cos the required ports would have been blocked?

the only thing that comes to mind quick enough is to use remote desktop. where a user remotely logs onto another machine (either physical or virtual) in another vlan where the app works.
Commented:
Yeah thats the problem in essence however we only want Level 1 to have a dynamic range so basically if a user goes from Level 2 to Level 3 they wouldn't be able to access anything at all.

Maybe it's just a flaw in having security so tightly locked down :/

One solution we thought of was setting up a Wireless VLAN for staff which connects to a second DHCP server, on that DHCP server we can give users the reserved address they would normally get when on their level in the building. That way roaming users would have to use wireless to access their normal resources and the wireless is still secured as it's locked down to MAC addresses.
Messy from an admin overhead perspective but does get the job done....

No one else has other suggestions?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial