Solved

Network Desgin With Vlan

Posted on 2014-10-30
8
201 Views
Last Modified: 2014-10-31
Hi,
Point-1:
We have a production unit with different plants.
Plants Name
A
B
C

Point-2:
We have also a Administration building where our server room.
Where our Check Point firewall is mounted.


Point-3:
We have ISP (Airtel and Relience)


Current Network Design:
Both ISP are configure in checkpoint firewall. After that a port configure for local LAN
with 3 network range ,
192.168.4.1-254 -For Users
192.168.5.1-254 -For Server
192.168.6.1-254 -For Users
192.168.3.1-254 -For CCTV
 
And a CAT-6 cable is connected from firewall to Cisco Switch SG-300 28 Port(SW1) for LAN Network.
Our network is very slow because we dont have any VLAN in Network.All network on same subnet.

And a cable connected from a server room switch(SW1) to  in lift room switch Cisco Switch SG-300 28 Port(SW2).
After that 3 cable connected to RF(radio frequency) which are provide the internet for Plants .

And each plant have cisco unmanged switch.

We attach a file .


Please help us.
Ashish Kumar
If any query Mail to me Kumar.ashish9000@gmail.com

Thanks
scan-001.jpg
0
Comment
Question by:Ashish Kumar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 40412885
Hello,

You can reconfigure network (CheckPoint, SW1 and SW2) and put each subnet to own VLAN.
On Checkpoint configure 802.1Q trunk interface toward local LAN, and create subinterface in each VLAN.
On SW1 and SW2 create appropriate VLANs, and assign ports to it. Port toward CheckPoint configrure as 802.1Q trunk

If connection from RF to SW2 is single cable, I'm not sure you'll be able to separate Plants in different VLANs, but is every RF has its own connection to SW2, then you can put each RF in separate VLAN.

Configure link between SW1 and SW2 as 802.1Q trunk.

Regards!
0
 

Author Comment

by:Ashish Kumar
ID: 40412982
Hi ,
Firstly thanks for comment,

Every RF has own connection to SW2, so we can put each plant to different VLAN.

Sir we can create VLAN but we are fresher so please help us to create communication between VLAN.
How to communicate between each vlan to each vlan inculding SAP server valn(which has subnet mask 255.255.255.0) without changing SAP server subnet mask.

We have SAP server also in admin building and a CAT 6 cable connect sap server and sw1 switch.

Thanks
Ashish Kumar
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40412998
Inter VLAN communication can be done on CheckPoint or SW1. It depends how you want to do it.
On which subnet is SAP server?

If you have already this subnets:
192.168.4.1-254 -For Users
192.168.5.1-254 -For Server
192.168.6.1-254 -For Users
192.168.3.1-254 -For CCTV

You just need to put each subnet in different VLAN, no need to change subnet mask.
So lets say:
VLAN 4 -> 192.168.4.0/255.255.255.0
VLAN 5 -> 192.168.5.0/255.255.255.0
VLAN 6 -> 192.168.6.0/255.255.255.0
VLAN 3 -> 192.168.3.0/255.255.255.0
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:Ashish Kumar
ID: 40413016
We want to make trunk using Cisco Switch rather then check point .
We can purchase a switch sw3 if required.


SAP server :

192.168.5.182
255.255.255.0

Sir can we make a vtp server using sw3.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40413493
You don't need SW3. All can be done with CP, SW1 and SW2.
For only two switches, I don't recommend vtp configuration.

So regarding picture I attached, here is what you need to do:
- on SW1 create VLANs with IP addresses (for x,y,z use any number from 7-255.):
VLAN 3 -> 192.168.3.1/255.255.255.0
VLAN 4 -> 192.168.4.1/255.255.255.0
VLAN 5 -> 192.168.5.1/255.255.255.0
VLAN 6 -> 192.168.6.1/255.255.255.0
VLAN x -> 192.168.x.1/255.255.255.0
VLAN y -> 192.168.y.1/255.255.255.0
VLAN z -> 192.168.z.1/255.255.255.0

- on SW1 port toward SW2 configure as trunk
- on SW2 port toward SW1 configure as trunk
- on SW2 create VLANs: VLAN x, VLAN y, VLAN z
- on SW2:
- port toward RF1 put in VLAN x
- port toward RF2 put in VLAN y
- port toward RF3 put in VLAN z
- on CheckPoint add static route toward 192.168.0.0/255.255.0.0 to point to SW1 IP address (to be more precise, please send me IP of CheckPoint and SW1)
- on CheckPoint modify Anti-Spoofing on inside interface by adding network range 192.168.0.0/255.255.0.0
- on clients change default gateway to SW1 IP address in adequate  VLAN.

That should be it.
LAN.PNG
0
 

Author Comment

by:Ashish Kumar
ID: 40415025
All network range created in Check Point.
IP Address of Check Point
192.168.4.1
But we can also access firewall through by
192.168.5.1
192.168.6.1

One more question can we access any vlan host from any vlan including CCTV and SAP server VLAN.
0
 

Author Comment

by:Ashish Kumar
ID: 40415031
why you are not recommending VTP server??
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40415233
Because for only two switches it is not very useful, and you have more control and easier troubleshoot, without vtp.

Can you post interface configuration from CheckPoint and configuration of SW1 and SW2?
It will be much easier and faster to help you with those information.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transparency shows that a company is the kind of business that it wants people to think it is.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question