Network Design

I'm currently using a /22 address space, 192.168.100.x with a flat network, everything in one vlan. I know that's not good, so I want to change it.   We will be moving to a new facility in about 6 months, a bigger building with 3 floors, currently we have 1 floor.  There will be different buildings, so I'm debating about having two separate internet circuits for each building, or if I should just have both buildings under one internet circuit. The 2nd building is a church, so I'm thinking it might be wiser to have two different physical networks, for security.

I've done some research online, but wanted to see what is best practice when creating vlans?  Do I create vlans by department, or by security boundaries, etc...  I'm still trying to figure that out.  Plus, I think it might be best to configure my existing network with all the vlans that I want to create for the new facility, so I don't want to try to completely reconfigure my network during the move, as it would be a nightmare, right?

I have about 90 computers (PCs and Macs), 80 VoIP phones, 28 servers, 13 APs,  15 network printers,  at least 75 or so smartphones/laptops/tablets on the network in any given day.
I currently

Any input would be greatly appreciated
DanNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
Generally VLANs are defined by common boundary meaning, hosts sharing common attributes or trust are pooled within a common vlan.  A good example of this is the use of a voice vlan  or a Finance vlan, or the segregation of a particular type or group of apps together inside a common vlan (think web services or email or file servers).  These boundary definitions vary from one organization to another and there really is no best practice of what to lump with what.  There are some general standards and based on what you have posted above, I would build in that direct as follows:

1. Workstations and Printers
2. VoIP phones
3. Servers
4. Wireless (Trusted and BYOD SSIDs)

That said, it isn't a blanket statement either.  You need to review your org and determine if there is a need to divide by team/group/dept.  One other additional "best practice" to take note of, is that we generally segregate to network scopes/broadcast domains below 256 hosts, so that may be useful in your design as well.

Hope that helps
Bryant SchaperCommented:
I agree with atlas on this.  Based on what you provided I would probably break my VLANS down a similar path:

1. Servers
2. Voice
3. Workstations/Printers
4. Access Points
5. Wireless/BYOD (this may be even further broken down depending on what is on the network, ie guest devices and internal devices using wifi.)

As for internet, well four may be better than two, but I don't know what the campus looks like.  You could share the same internet as easy.

Lastly when to implement comes again down to design, is everything DHCP now, then it is just a matter of getting the right vlans in place and ports configured.  If your phones are providing pass through or using a voice vlan then that should be built as well.  The move could be seamless, for the most part but again it just depends on your network.
DanNetwork EngineerAuthor Commented:
Currently, my workstations and my VoIP phones are DHCP.   Everything else is static,  servers, printers, APs, security cameras, door access control system.

With the internet questions, if I only have 1 circuit and use vlans, that won't provide the same security as if it were a different physical network all together, so I think that would be best.
Ensure Business Longevity with As-A-Service

Using the as-a-service approach for your business model allows you to grow your revenue stream with new practice areas, without forcing you to part ways with existing clients just because they don’t fit the mold of your new service offerings.

atlas_shudderedSr. Network EngineerCommented:
The internet and vlan questions are really kind of differentiated from each other.  The big point inside of that is going to be your poison.  Do you want to bridge the two buildings and deal with potential performance problems or do you want to deal with managing two firewalls and potential inter-site challenges.

The short of bridging with regards to vlans is two fold:

1. Do you trust the other facility (not as individuals/groups but network to network/function to function)
2. Are there any legal issues that you could run into given that the second facility is church.
Bryant SchaperCommented:
Having vlans and 1 internet source provides the same security, assuming it is setup correctly.  Some might argue more.  As Altas mentioned, if you got with two internet sources, you have two firewalls.  Fine and dandy, I have about 30 on my network. but that said it is more to manage and opens you up for more mistakes, and at the very minimum a larger attack surface, 2 external IP addresses and not 1.

From a redundancy standpoint, I would prefer to see each site have their own internet and still interconnect the offices.  Are the buildings close, ie fiber between or are we talking leased lines?  That could make a difference too.  But if the are close then your internet connections could serve as failover points if a single provider goes down.  Which brings to mind, that ideally I would recommend different providers for each internet as well.
Raymond ZwartsNetwork EngineerCommented:
Multiple VLANs only make sense if you have some form of security device in between the VLANs. And I always try to keep VLANs local to a site. So you will end up with multiple printer VLANs for example.

Are you the only renter of the church or do other people have access as well ? Might want to think of wired 802.1x

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DanNetwork EngineerAuthor Commented:
Currently, we own both buildings, and we don't have any renters.  I'm sure though, that the church building will be rented out.
I can provide a free guest wifi, but if someone uses any of the LAN ports for their laptops, or other devices, then they are directly on my LAN, and that's scary.  I guess if I have 2 different physical networking, 2 ISP circuits, then my security threat is reduced in that sense.  The service would be from the same ISP, so it wouldn't provide any redundancy.
DanNetwork EngineerAuthor Commented:
Thanks guys for your input
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.