Solved

VLAN Question

Posted on 2014-02-28
9
486 Views
Last Modified: 2014-03-01
My company sublets a number of offices to other companies.  Thus I am looking for a way to separate individual offices in an office suite so that each office is unable to locate the devices (PC, Printers, etc) in adjoining offices for obvious security purposes. We also have a public wireless network that I need to separate from all of this, as we and clients regularly have outside vendors in for meetings.  

Current switches HP Procurve 2600 series layer 2 POE switches.  Our firewall is providing DNS / DHCP with a tunnel created for corporate use to our datacenter at a collocation site.  I am testing my concepts / design here prior to attempting to implement for obvious reasons of saving time and headaches if my thoughts / design will not work properly.  

Assumption:

I can use VLAN's to accomplish this task.  VLAN 1 (10.0.x/24 subnet) all other VLANS utilize 192.168.1.x/24 subnet.  IP phones are all internet based so no need for a voice VLAN.

Design:

Ports 49 & 50 on all switches (3 in all) creating a tagged trunk linking all together and to the firewall for client access.

Switch 1 (first 32 ports VLAN 1 - untagged port 1 links back to firewall for firewall access)
Switch 1 (ports 33 through 38 VLAN 2 Public Wireless - untagged - port 49 / 50 tagged)
Switch 1 (ports 39 & 40 VLAN 3 Printing available to all VLANS except VLAN 1 - tagged all VLANS except VLAN 1 set to NO)

After this each set of 4 ports on a switch coorespond to an office.  e.g.,

Switch 1 ports 41-44 office 10 VLAN 10 untagged - tagged ports 49, 50 - NO all other ports

Switch 1 ports 45-48 office 11 VLAN 11 untagged - tagged ports 49, 50 - NO all other ports

Switches 2 & 3 to follow same pattern so that all 26 of our client offices are separated.

Question 1 - am I on the right track?
Question 2 - is there a better, easier, more simple way of accomplishing this?

I am also hoping to procure layer 3 switches within a few months.  Should I wait for that or proceed?

Thanks!
0
Comment
Question by:scottoleson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 46

Accepted Solution

by:
Craig Beck earned 250 total points
ID: 39894943
What you're wanting to do at the moment, based on what you said in the OP...
I can use VLAN's to accomplish this task.  VLAN 1 (10.0.x/24 subnet) all other VLANS utilize 192.168.1.x/24 subnet.
...means you'd need to use Private-VLANs which is something a bit different to normal VLANs.

A Private-VLAN will let everyone be on the same subnet and VLAN, but there's isolation between the switchports so my PC wouldn't be able to 'see' the PC next to it usually.  There are exceptions to this (by using community-based P-VLANs) but generally using P-VLANs would mean that people wouldn't be able to see each-other in the same office.  That's not what you want.

So, keep it simple.  Use a VLAN per office/company and assign a dedicated subnet to each one.  Your firewall will stop offices from routing between them.
0
 
LVL 1

Author Comment

by:scottoleson
ID: 39895020
Craig

Thanks for the response.  So to push further and check my understanding.

1) I need a layer 3 switch to provide private VLANS to each of my clients in the 26 offices that we have separate tenants.  Then each tenant would "see" all devices on their private VLAN but not other P-VLANS.   If needed I could also combine offices should two or three be occupied by the same company.
2) It would be a waste of IP subnets and require other hardware to assign each client their own unique subnet.
3) For shared multifunction printer access all VLANS would need access to the printer VLAN.

Thus...

10.0.1.x/24 Corporate Network
10.0.2.x/24 Public Printer Network
192.168.1.x/24 P-VLAN's for Corporate Customers and Public Wireless Internet

ALL VLANS can access printer network through the firewall and routing tables.

My lights are turning on and wheels are churning..

Thanks in advance!
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39895037
Ok to pick up on a couple of things...

My company sublets a number of offices to other companies.  Thus I am looking for a way to separate individual offices in an office suite so that each office is unable to locate the devices (PC, Printers, etc) in adjoining offices for obvious security purposes. We also have a public wireless network that I need to separate from all of this, as we and clients regularly have outside vendors in for meetings.  
This was your OP... but that sounds different to what you just said...
3) For shared multifunction printer access all VLANS would need access to the printer VLAN.

Are you allowing everyone to see shared printers provided by you, or not?  I'm confused :-)
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Author Comment

by:scottoleson
ID: 39895057
Yes..  My original statement included Switch 1 with VLAN 3 for shared public printing.  We allow clients access to an "old" multifunction.  :)
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39895211
Ok so I'd go with a VLAN per office with its own subnet and a separate VLAN for the shared printer(s).  You can easily do this at a Layer-3 switch or with a router which supports 802.1Q.  Don't worry about using different subnets and running out of addresses - you can use a 172.16.x.y range for each office.  That would give you over 1,000,000 IP addresses to play with and you can split this into chunks as small or as large as you like, so typically you could use 172.16.0.0/24, 172.16.1.0/24, 172.16.2.0/24, and so on for each office.

You can use basic ACLs or firewall rules to allow each office to get to the printer, while blocking each office from seeing each other's subnets.

Job done. :-)
0
 
LVL 1

Author Comment

by:scottoleson
ID: 39895659
I knew I could VLAN in this way, but hoping to not need to dish out different subnets to each client office.  This just seems like overkill.

Thanks
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39896150
It's not overkill and is actually much better for you for many reasons...

Auditing
Security policies
Delegation of address assignment
...
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 250 total points
ID: 39897057
maybe consider this alternate solution since you apparently do not expect much traffic between offices

this assumes your firewall is vlan-aware

FIREWALL --- switch ---- office X

the firewall to switch link is a trunk with ALL vlans allowed

the switch port associated with office X is in VLAN X but the traffic to office X is untagged

each office has a different subnet, and the firewall takes care of what is allowed

this does not require a level3 switch, nor ACLs, nor any VLAN configurations in offices. it should also be easy to maintain. you'd still have to migrate IP addresses and create a virtual interface per VLAN on the firewall

if you need several port per office with or without link aggregation, it won't make a difference

obviously treat the wireless network(s) and printer network in the same way. just allow traffic from offices to printers on the firewall as required
0
 
LVL 1

Author Closing Comment

by:scottoleson
ID: 39897897
Both solutions look viable and will accomplish my goals.  Fortunately I have some time and will play a little in the sandbox to decide which is best for our situation.

Thanks!
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question