Solved

VLAN DESIGN WITH CISCO SG300's, DELL 5524's and a Sonicwall NSA3600

Posted on 2014-01-27
4
828 Views
Last Modified: 2016-11-23
Working on a VLAN design, we currently do not have any VLANs deployed.  Setup a couple VLANs in a test environment in Layer 2 mode and created a trunk to the Sonicwall, creating the zones and subinterfaces on the Sonicwall.  Got that working fine, but moving forward have several questions.
Here is a glimpse of our environment:
2 - Dell 5524 switches
2 - Cisco SG300 switches
1 - Sonicwall NSA3600
1 - Sonicwall Pro 3060 (test environment right now)
2 - Hyper-V servers running 4 Virtual machines each.
       - Domain Controllers
       - Exchange
       - WEB Server
       - Public Reservation system which Staff has to access
       - Adding 20 IP cameras so, will need VM to run management and recording software

Want to seperate the Public LAN from the Staff Lan and am torn between running two seperate AD domains or just seperating by VLANs.  Problem is the management and that they share some resources such as printers so, that is the first question.  Here are my questions for now anyway:

1.  Should I put the Staff and Public LANs on their own AD domains or just seperate with VLANs?
2.  Once I setup VLANs can I still use dumb switches in the config (eventually want to eliminate but need for now)?  In other words, can I mix and match or is it VLANs or not?
3.  How should I address the shared printers or other resources, maybe through the Sonicwall with access policies?
4. Do I leave the switches in Layer 2 mode and let the Sonicwall do all the routing?
5. Does it make sense to incorporate the our backup Sonicwall into the configuration at all?
6. VLANs by their very nature block all broadcast traffic - correct assumptions even if there is interVLAN routing between subnets?
Would appreciate any input!
Thanks Experts
0
Comment
Question by:Webcc
  • 2
  • 2
4 Comments
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39813157
1.  Should I put the Staff and Public LANs on their own AD domains or just seperate with VLANs?

By public, do you mean guest VLAN? If so, what purpose would guest need AD? If they do, I would def use a separate domain.

2.  Once I setup VLANs can I still use dumb switches in the config (eventually want to eliminate but need for now)?  In other words, can I mix and match or is it VLANs or not?


You can use dumb switches with vlans, just know that the port that they uplink to designates what vlan that entire dumb switch is on, so if you uplink the switch to an access port that is on VLAN 100, the entire dumb switch will be on vlan 100.

3.  How should I address the shared printers or other resources, maybe through the Sonicwall with access policies?


You could put the shared resources on their own vlan and then create policies for the staff network to access and for the guest to access, yet not allowing either network to talk to each other. Regardless, I don't think allowing guest to share resources with staff is a good idea. Say for example sensitive document printing to the same printer as a visitor. NOT GOOD!


4. Do I leave the switches in Layer 2 mode and let the Sonicwall do all the routing?

If your switches are able to do routing I would set them up to do all of the vlan routing an the Sonicwall only handle traffic in and out the internet/wan.

5. Does it make sense to incorporate the our backup Sonicwall into the configuration at all?


I don't see a purpose in your current situation, unless you wanted another point of packet inspection and/or routing.


6. VLANs by their very nature block all broadcast traffic - correct assumptions even if there is interVLAN routing between subnets?
Would appreciate any input!


Yes, vlans contain broadcasts within them.
0
 

Author Comment

by:Webcc
ID: 39813355
Thanks Soulja!

We are an educational environment so the Public can come in and use designated computers and peripherals.  We have reservation software to control usage that the staff must access.  That is all WEB based software so I can easily share that between the two groups.  Just a couple printers I will have to plan for.  The staff only uses the color printers and very infrequently, but still need to have access.

I agree about setting up a seperate AD domain for Public, now that we have the hardware I'm going to make that a priority.

Thanks again and if you don't have anything else to add I will close out with high marks.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39813366
Glad to help!
0
 

Author Closing Comment

by:Webcc
ID: 39813399
Very informative and precise.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now