Network Topology - Am I doing it right?
I have a question about best practices regarding network topology.
I operate a relatively small network. I have my network broken down into 5 different networks:
10.1.1.0 /24 - for device management - VLAN 1
10.2.0.0 /16 - for servers (original IP address space before I came to company - everyone was on the same network with the servers) - VLAN 2
10.5.1.0 /24 - For wired Ethernet devices - workstations and laptops - VLAN 5
10.10.1.0 /24 - For Wireless devices - laptops mainly - also a VLAN 10
10.254.254.0 /29 - Very small subnet, used for a VLAN 254 between our main switch up-link, web filter and firewall device.
That last subnet is where my question lies.
Is it a good practice to concentrate egress/ingress Internet traffic into its own VLAN? When I set this up 7 years ago, I thought it was.
We are getting a new firewall/router - it will replace our current firewall and web filtering solution. I am wondering if I should keep this setup, or if I should just make the new device part of the 10.2.0.0 network and call it a day?
The other idea I had, since this new firewall has many LAN side ports was to eliminate VLAN 254 and use 3 separate up-links for VLANs 2, 5 and 10 on my main switch to the new firewall.
My other thought was to use a trunk port for the up-link to the firewall and configure it like router-on-a-stick using sub-interfaces on the firewall.
My networking skills are a little rusty, and was hoping to hear from others that may be wiser than I am with this sort of thing... I want some feedback on advantages/disadvantages of the potential topology choices.
Thanks in advance.
Note - in response to a comment on this question - yes, I am aware that the WAN interface and the LAN interface of my firewall need to be on different networks.
I operate a relatively small network. I have my network broken down into 5 different networks:
10.1.1.0 /24 - for device management - VLAN 1
10.2.0.0 /16 - for servers (original IP address space before I came to company - everyone was on the same network with the servers) - VLAN 2
10.5.1.0 /24 - For wired Ethernet devices - workstations and laptops - VLAN 5
10.10.1.0 /24 - For Wireless devices - laptops mainly - also a VLAN 10
10.254.254.0 /29 - Very small subnet, used for a VLAN 254 between our main switch up-link, web filter and firewall device.
That last subnet is where my question lies.
Is it a good practice to concentrate egress/ingress Internet traffic into its own VLAN? When I set this up 7 years ago, I thought it was.
We are getting a new firewall/router - it will replace our current firewall and web filtering solution. I am wondering if I should keep this setup, or if I should just make the new device part of the 10.2.0.0 network and call it a day?
The other idea I had, since this new firewall has many LAN side ports was to eliminate VLAN 254 and use 3 separate up-links for VLANs 2, 5 and 10 on my main switch to the new firewall.
My other thought was to use a trunk port for the up-link to the firewall and configure it like router-on-a-stick using sub-interfaces on the firewall.
My networking skills are a little rusty, and was hoping to hear from others that may be wiser than I am with this sort of thing... I want some feedback on advantages/disadvantages of the potential topology choices.
Thanks in advance.
Note - in response to a comment on this question - yes, I am aware that the WAN interface and the LAN interface of my firewall need to be on different networks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi John -
180 devices, and growing.
When I divided the network up like that, at the time, I thought it would be good for a few reasons: one was to maintain smaller broadcast domains. Also, just a way to categorize devices by connection type. It came in handy for certain tasks knowing that all my wireless clients were within a certain IP range, for example.
Really, the main reason was to control broadcast traffic, and for logical separation of devices. With a network this small, I imagine broadcast traffic would not be that cumbersome. However, I like to plan for growth, and I had learned that it is good to maintain small broadcast domains.
180 devices, and growing.
When I divided the network up like that, at the time, I thought it would be good for a few reasons: one was to maintain smaller broadcast domains. Also, just a way to categorize devices by connection type. It came in handy for certain tasks knowing that all my wireless clients were within a certain IP range, for example.
Really, the main reason was to control broadcast traffic, and for logical separation of devices. With a network this small, I imagine broadcast traffic would not be that cumbersome. However, I like to plan for growth, and I had learned that it is good to maintain small broadcast domains.
With modern Wireless gear, broadcast traffic is normally not an issue.
Perhaps keep phones and such on a separate VLAN, but I would keep business computers (a number wired and some wireless) on the same subnet as the servers.
Phones can add a lot of network demand and often (in our case) not needed on the main network.
Perhaps keep phones and such on a separate VLAN, but I would keep business computers (a number wired and some wireless) on the same subnet as the servers.
Phones can add a lot of network demand and often (in our case) not needed on the main network.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Masnrock - Actually, we have a completely separate switched LAN for public/guest access with its own separate internet connection. So we have a few WAPs that are "public" and then we have our own internal WAPs as well. I thought about bringing them all together, we recently upgraded to Ubiquiti WAPs that would support your idea, which I like for simplification purposes, but I also like the idea of complete and total physical separation of untrusted devices from our production environment.
That's not a problem. I just didn't know how that side of things was set up. It's actually pretty good. Whether you change or not really depends on you.
If you decide to change (and there's really no pressure for you to do so):
One of the top things I always make sure to do is ensure that guest VLANs are NOT allowed to communicate with other VLANs. (I've seen too many cases of this getting overlooked) Some cases, I've seen a shared firewall, but separate connections. Other cases, shared connection and shared firewall, but NAT rules enforce translation to different IP addresses as well as bandwidth limits for the guest VLAN.
If you've read on the recent vulnerabilities with the fax protocol, you could justify having printers and fax machines in their own VLAN.
If you decide to change (and there's really no pressure for you to do so):
One of the top things I always make sure to do is ensure that guest VLANs are NOT allowed to communicate with other VLANs. (I've seen too many cases of this getting overlooked) Some cases, I've seen a shared firewall, but separate connections. Other cases, shared connection and shared firewall, but NAT rules enforce translation to different IP addresses as well as bandwidth limits for the guest VLAN.
If you've read on the recent vulnerabilities with the fax protocol, you could justify having printers and fax machines in their own VLAN.
@Cole
That physical separation is awesome. It's not the most cost effective approach and that's why most companies use logical separation instead. Physical is much better though.
That physical separation is awesome. It's not the most cost effective approach and that's why most companies use logical separation instead. Physical is much better though.
ASKER
At what point do I start to worry about the size of my broadcast domain? Basically, what is the maximum recommended amount of hosts per broadcast domain? I guess that depends on the types of devices and protocols they are running, but is there a general rule of thumb for this?
A modern wireless access point can handle hundreds of devices, so not to worry at this point.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Author abandoned
Why separate business computers into two different subnets ?
Why have your servers on yet another subnet?
small network How many devices?