Solved

VLAN Question

Posted on 2014-02-28
9
481 Views
Last Modified: 2014-03-01
My company sublets a number of offices to other companies.  Thus I am looking for a way to separate individual offices in an office suite so that each office is unable to locate the devices (PC, Printers, etc) in adjoining offices for obvious security purposes. We also have a public wireless network that I need to separate from all of this, as we and clients regularly have outside vendors in for meetings.  

Current switches HP Procurve 2600 series layer 2 POE switches.  Our firewall is providing DNS / DHCP with a tunnel created for corporate use to our datacenter at a collocation site.  I am testing my concepts / design here prior to attempting to implement for obvious reasons of saving time and headaches if my thoughts / design will not work properly.  

Assumption:

I can use VLAN's to accomplish this task.  VLAN 1 (10.0.x/24 subnet) all other VLANS utilize 192.168.1.x/24 subnet.  IP phones are all internet based so no need for a voice VLAN.

Design:

Ports 49 & 50 on all switches (3 in all) creating a tagged trunk linking all together and to the firewall for client access.

Switch 1 (first 32 ports VLAN 1 - untagged port 1 links back to firewall for firewall access)
Switch 1 (ports 33 through 38 VLAN 2 Public Wireless - untagged - port 49 / 50 tagged)
Switch 1 (ports 39 & 40 VLAN 3 Printing available to all VLANS except VLAN 1 - tagged all VLANS except VLAN 1 set to NO)

After this each set of 4 ports on a switch coorespond to an office.  e.g.,

Switch 1 ports 41-44 office 10 VLAN 10 untagged - tagged ports 49, 50 - NO all other ports

Switch 1 ports 45-48 office 11 VLAN 11 untagged - tagged ports 49, 50 - NO all other ports

Switches 2 & 3 to follow same pattern so that all 26 of our client offices are separated.

Question 1 - am I on the right track?
Question 2 - is there a better, easier, more simple way of accomplishing this?

I am also hoping to procure layer 3 switches within a few months.  Should I wait for that or proceed?

Thanks!
0
Comment
Question by:scottoleson
  • 4
  • 4
9 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 250 total points
ID: 39894943
What you're wanting to do at the moment, based on what you said in the OP...
I can use VLAN's to accomplish this task.  VLAN 1 (10.0.x/24 subnet) all other VLANS utilize 192.168.1.x/24 subnet.
...means you'd need to use Private-VLANs which is something a bit different to normal VLANs.

A Private-VLAN will let everyone be on the same subnet and VLAN, but there's isolation between the switchports so my PC wouldn't be able to 'see' the PC next to it usually.  There are exceptions to this (by using community-based P-VLANs) but generally using P-VLANs would mean that people wouldn't be able to see each-other in the same office.  That's not what you want.

So, keep it simple.  Use a VLAN per office/company and assign a dedicated subnet to each one.  Your firewall will stop offices from routing between them.
0
 
LVL 1

Author Comment

by:scottoleson
ID: 39895020
Craig

Thanks for the response.  So to push further and check my understanding.

1) I need a layer 3 switch to provide private VLANS to each of my clients in the 26 offices that we have separate tenants.  Then each tenant would "see" all devices on their private VLAN but not other P-VLANS.   If needed I could also combine offices should two or three be occupied by the same company.
2) It would be a waste of IP subnets and require other hardware to assign each client their own unique subnet.
3) For shared multifunction printer access all VLANS would need access to the printer VLAN.

Thus...

10.0.1.x/24 Corporate Network
10.0.2.x/24 Public Printer Network
192.168.1.x/24 P-VLAN's for Corporate Customers and Public Wireless Internet

ALL VLANS can access printer network through the firewall and routing tables.

My lights are turning on and wheels are churning..

Thanks in advance!
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39895037
Ok to pick up on a couple of things...

My company sublets a number of offices to other companies.  Thus I am looking for a way to separate individual offices in an office suite so that each office is unable to locate the devices (PC, Printers, etc) in adjoining offices for obvious security purposes. We also have a public wireless network that I need to separate from all of this, as we and clients regularly have outside vendors in for meetings.  
This was your OP... but that sounds different to what you just said...
3) For shared multifunction printer access all VLANS would need access to the printer VLAN.

Are you allowing everyone to see shared printers provided by you, or not?  I'm confused :-)
0
 
LVL 1

Author Comment

by:scottoleson
ID: 39895057
Yes..  My original statement included Switch 1 with VLAN 3 for shared public printing.  We allow clients access to an "old" multifunction.  :)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39895211
Ok so I'd go with a VLAN per office with its own subnet and a separate VLAN for the shared printer(s).  You can easily do this at a Layer-3 switch or with a router which supports 802.1Q.  Don't worry about using different subnets and running out of addresses - you can use a 172.16.x.y range for each office.  That would give you over 1,000,000 IP addresses to play with and you can split this into chunks as small or as large as you like, so typically you could use 172.16.0.0/24, 172.16.1.0/24, 172.16.2.0/24, and so on for each office.

You can use basic ACLs or firewall rules to allow each office to get to the printer, while blocking each office from seeing each other's subnets.

Job done. :-)
0
 
LVL 1

Author Comment

by:scottoleson
ID: 39895659
I knew I could VLAN in this way, but hoping to not need to dish out different subnets to each client office.  This just seems like overkill.

Thanks
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39896150
It's not overkill and is actually much better for you for many reasons...

Auditing
Security policies
Delegation of address assignment
...
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 250 total points
ID: 39897057
maybe consider this alternate solution since you apparently do not expect much traffic between offices

this assumes your firewall is vlan-aware

FIREWALL --- switch ---- office X

the firewall to switch link is a trunk with ALL vlans allowed

the switch port associated with office X is in VLAN X but the traffic to office X is untagged

each office has a different subnet, and the firewall takes care of what is allowed

this does not require a level3 switch, nor ACLs, nor any VLAN configurations in offices. it should also be easy to maintain. you'd still have to migrate IP addresses and create a virtual interface per VLAN on the firewall

if you need several port per office with or without link aggregation, it won't make a difference

obviously treat the wireless network(s) and printer network in the same way. just allow traffic from offices to printers on the firewall as required
0
 
LVL 1

Author Closing Comment

by:scottoleson
ID: 39897897
Both solutions look viable and will accomplish my goals.  Fortunately I have some time and will play a little in the sandbox to decide which is best for our situation.

Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Is your computer hacked? learn how to detect and delete malware in your PC
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now