Solved

VLAN DESIGN WITH CISCO SG300's, DELL 5524's and a Sonicwall NSA3600

Posted on 2014-01-27
4
866 Views
Last Modified: 2016-11-23
Working on a VLAN design, we currently do not have any VLANs deployed.  Setup a couple VLANs in a test environment in Layer 2 mode and created a trunk to the Sonicwall, creating the zones and subinterfaces on the Sonicwall.  Got that working fine, but moving forward have several questions.
Here is a glimpse of our environment:
2 - Dell 5524 switches
2 - Cisco SG300 switches
1 - Sonicwall NSA3600
1 - Sonicwall Pro 3060 (test environment right now)
2 - Hyper-V servers running 4 Virtual machines each.
       - Domain Controllers
       - Exchange
       - WEB Server
       - Public Reservation system which Staff has to access
       - Adding 20 IP cameras so, will need VM to run management and recording software

Want to seperate the Public LAN from the Staff Lan and am torn between running two seperate AD domains or just seperating by VLANs.  Problem is the management and that they share some resources such as printers so, that is the first question.  Here are my questions for now anyway:

1.  Should I put the Staff and Public LANs on their own AD domains or just seperate with VLANs?
2.  Once I setup VLANs can I still use dumb switches in the config (eventually want to eliminate but need for now)?  In other words, can I mix and match or is it VLANs or not?
3.  How should I address the shared printers or other resources, maybe through the Sonicwall with access policies?
4. Do I leave the switches in Layer 2 mode and let the Sonicwall do all the routing?
5. Does it make sense to incorporate the our backup Sonicwall into the configuration at all?
6. VLANs by their very nature block all broadcast traffic - correct assumptions even if there is interVLAN routing between subnets?
Would appreciate any input!
Thanks Experts
0
Comment
Question by:Webcc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39813157
1.  Should I put the Staff and Public LANs on their own AD domains or just seperate with VLANs?

By public, do you mean guest VLAN? If so, what purpose would guest need AD? If they do, I would def use a separate domain.

2.  Once I setup VLANs can I still use dumb switches in the config (eventually want to eliminate but need for now)?  In other words, can I mix and match or is it VLANs or not?


You can use dumb switches with vlans, just know that the port that they uplink to designates what vlan that entire dumb switch is on, so if you uplink the switch to an access port that is on VLAN 100, the entire dumb switch will be on vlan 100.

3.  How should I address the shared printers or other resources, maybe through the Sonicwall with access policies?


You could put the shared resources on their own vlan and then create policies for the staff network to access and for the guest to access, yet not allowing either network to talk to each other. Regardless, I don't think allowing guest to share resources with staff is a good idea. Say for example sensitive document printing to the same printer as a visitor. NOT GOOD!


4. Do I leave the switches in Layer 2 mode and let the Sonicwall do all the routing?

If your switches are able to do routing I would set them up to do all of the vlan routing an the Sonicwall only handle traffic in and out the internet/wan.

5. Does it make sense to incorporate the our backup Sonicwall into the configuration at all?


I don't see a purpose in your current situation, unless you wanted another point of packet inspection and/or routing.


6. VLANs by their very nature block all broadcast traffic - correct assumptions even if there is interVLAN routing between subnets?
Would appreciate any input!


Yes, vlans contain broadcasts within them.
0
 

Author Comment

by:Webcc
ID: 39813355
Thanks Soulja!

We are an educational environment so the Public can come in and use designated computers and peripherals.  We have reservation software to control usage that the staff must access.  That is all WEB based software so I can easily share that between the two groups.  Just a couple printers I will have to plan for.  The staff only uses the color printers and very infrequently, but still need to have access.

I agree about setting up a seperate AD domain for Public, now that we have the hardware I'm going to make that a priority.

Thanks again and if you don't have anything else to add I will close out with high marks.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39813366
Glad to help!
0
 

Author Closing Comment

by:Webcc
ID: 39813399
Very informative and precise.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transparency shows that a company is the kind of business that it wants people to think it is.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question