VLAN Question

My company sublets a number of offices to other companies.  Thus I am looking for a way to separate individual offices in an office suite so that each office is unable to locate the devices (PC, Printers, etc) in adjoining offices for obvious security purposes. We also have a public wireless network that I need to separate from all of this, as we and clients regularly have outside vendors in for meetings.  

Current switches HP Procurve 2600 series layer 2 POE switches.  Our firewall is providing DNS / DHCP with a tunnel created for corporate use to our datacenter at a collocation site.  I am testing my concepts / design here prior to attempting to implement for obvious reasons of saving time and headaches if my thoughts / design will not work properly.  

Assumption:

I can use VLAN's to accomplish this task.  VLAN 1 (10.0.x/24 subnet) all other VLANS utilize 192.168.1.x/24 subnet.  IP phones are all internet based so no need for a voice VLAN.

Design:

Ports 49 & 50 on all switches (3 in all) creating a tagged trunk linking all together and to the firewall for client access.

Switch 1 (first 32 ports VLAN 1 - untagged port 1 links back to firewall for firewall access)
Switch 1 (ports 33 through 38 VLAN 2 Public Wireless - untagged - port 49 / 50 tagged)
Switch 1 (ports 39 & 40 VLAN 3 Printing available to all VLANS except VLAN 1 - tagged all VLANS except VLAN 1 set to NO)

After this each set of 4 ports on a switch coorespond to an office.  e.g.,

Switch 1 ports 41-44 office 10 VLAN 10 untagged - tagged ports 49, 50 - NO all other ports

Switch 1 ports 45-48 office 11 VLAN 11 untagged - tagged ports 49, 50 - NO all other ports

Switches 2 & 3 to follow same pattern so that all 26 of our client offices are separated.

Question 1 - am I on the right track?
Question 2 - is there a better, easier, more simple way of accomplishing this?

I am also hoping to procure layer 3 switches within a few months.  Should I wait for that or proceed?

Thanks!
LVL 1
scottolesonAsked:
Who is Participating?
 
Craig BeckConnect With a Mentor Commented:
What you're wanting to do at the moment, based on what you said in the OP...
I can use VLAN's to accomplish this task.  VLAN 1 (10.0.x/24 subnet) all other VLANS utilize 192.168.1.x/24 subnet.
...means you'd need to use Private-VLANs which is something a bit different to normal VLANs.

A Private-VLAN will let everyone be on the same subnet and VLAN, but there's isolation between the switchports so my PC wouldn't be able to 'see' the PC next to it usually.  There are exceptions to this (by using community-based P-VLANs) but generally using P-VLANs would mean that people wouldn't be able to see each-other in the same office.  That's not what you want.

So, keep it simple.  Use a VLAN per office/company and assign a dedicated subnet to each one.  Your firewall will stop offices from routing between them.
0
 
scottolesonAuthor Commented:
Craig

Thanks for the response.  So to push further and check my understanding.

1) I need a layer 3 switch to provide private VLANS to each of my clients in the 26 offices that we have separate tenants.  Then each tenant would "see" all devices on their private VLAN but not other P-VLANS.   If needed I could also combine offices should two or three be occupied by the same company.
2) It would be a waste of IP subnets and require other hardware to assign each client their own unique subnet.
3) For shared multifunction printer access all VLANS would need access to the printer VLAN.

Thus...

10.0.1.x/24 Corporate Network
10.0.2.x/24 Public Printer Network
192.168.1.x/24 P-VLAN's for Corporate Customers and Public Wireless Internet

ALL VLANS can access printer network through the firewall and routing tables.

My lights are turning on and wheels are churning..

Thanks in advance!
0
 
Craig BeckCommented:
Ok to pick up on a couple of things...

My company sublets a number of offices to other companies.  Thus I am looking for a way to separate individual offices in an office suite so that each office is unable to locate the devices (PC, Printers, etc) in adjoining offices for obvious security purposes. We also have a public wireless network that I need to separate from all of this, as we and clients regularly have outside vendors in for meetings.  
This was your OP... but that sounds different to what you just said...
3) For shared multifunction printer access all VLANS would need access to the printer VLAN.

Are you allowing everyone to see shared printers provided by you, or not?  I'm confused :-)
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
scottolesonAuthor Commented:
Yes..  My original statement included Switch 1 with VLAN 3 for shared public printing.  We allow clients access to an "old" multifunction.  :)
0
 
Craig BeckCommented:
Ok so I'd go with a VLAN per office with its own subnet and a separate VLAN for the shared printer(s).  You can easily do this at a Layer-3 switch or with a router which supports 802.1Q.  Don't worry about using different subnets and running out of addresses - you can use a 172.16.x.y range for each office.  That would give you over 1,000,000 IP addresses to play with and you can split this into chunks as small or as large as you like, so typically you could use 172.16.0.0/24, 172.16.1.0/24, 172.16.2.0/24, and so on for each office.

You can use basic ACLs or firewall rules to allow each office to get to the printer, while blocking each office from seeing each other's subnets.

Job done. :-)
0
 
scottolesonAuthor Commented:
I knew I could VLAN in this way, but hoping to not need to dish out different subnets to each client office.  This just seems like overkill.

Thanks
0
 
Craig BeckCommented:
It's not overkill and is actually much better for you for many reasons...

Auditing
Security policies
Delegation of address assignment
...
0
 
skullnobrainsConnect With a Mentor Commented:
maybe consider this alternate solution since you apparently do not expect much traffic between offices

this assumes your firewall is vlan-aware

FIREWALL --- switch ---- office X

the firewall to switch link is a trunk with ALL vlans allowed

the switch port associated with office X is in VLAN X but the traffic to office X is untagged

each office has a different subnet, and the firewall takes care of what is allowed

this does not require a level3 switch, nor ACLs, nor any VLAN configurations in offices. it should also be easy to maintain. you'd still have to migrate IP addresses and create a virtual interface per VLAN on the firewall

if you need several port per office with or without link aggregation, it won't make a difference

obviously treat the wireless network(s) and printer network in the same way. just allow traffic from offices to printers on the firewall as required
0
 
scottolesonAuthor Commented:
Both solutions look viable and will accomplish my goals.  Fortunately I have some time and will play a little in the sandbox to decide which is best for our situation.

Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.