Network Design

Dan used Ask the Experts™
I'm currently using a /22 address space, 192.168.100.x with a flat network, everything in one vlan. I know that's not good, so I want to change it.   We will be moving to a new facility in about 6 months, a bigger building with 3 floors, currently we have 1 floor.  There will be different buildings, so I'm debating about having two separate internet circuits for each building, or if I should just have both buildings under one internet circuit. The 2nd building is a church, so I'm thinking it might be wiser to have two different physical networks, for security.

I've done some research online, but wanted to see what is best practice when creating vlans?  Do I create vlans by department, or by security boundaries, etc...  I'm still trying to figure that out.  Plus, I think it might be best to configure my existing network with all the vlans that I want to create for the new facility, so I don't want to try to completely reconfigure my network during the move, as it would be a nightmare, right?

I have about 90 computers (PCs and Macs), 80 VoIP phones, 28 servers, 13 APs,  15 network printers,  at least 75 or so smartphones/laptops/tablets on the network in any given day.
I currently

Any input would be greatly appreciated
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
atlas_shudderedSr. Network Engineer

Generally VLANs are defined by common boundary meaning, hosts sharing common attributes or trust are pooled within a common vlan.  A good example of this is the use of a voice vlan  or a Finance vlan, or the segregation of a particular type or group of apps together inside a common vlan (think web services or email or file servers).  These boundary definitions vary from one organization to another and there really is no best practice of what to lump with what.  There are some general standards and based on what you have posted above, I would build in that direct as follows:

1. Workstations and Printers
2. VoIP phones
3. Servers
4. Wireless (Trusted and BYOD SSIDs)

That said, it isn't a blanket statement either.  You need to review your org and determine if there is a need to divide by team/group/dept.  One other additional "best practice" to take note of, is that we generally segregate to network scopes/broadcast domains below 256 hosts, so that may be useful in your design as well.

Hope that helps
I agree with atlas on this.  Based on what you provided I would probably break my VLANS down a similar path:

1. Servers
2. Voice
3. Workstations/Printers
4. Access Points
5. Wireless/BYOD (this may be even further broken down depending on what is on the network, ie guest devices and internal devices using wifi.)

As for internet, well four may be better than two, but I don't know what the campus looks like.  You could share the same internet as easy.

Lastly when to implement comes again down to design, is everything DHCP now, then it is just a matter of getting the right vlans in place and ports configured.  If your phones are providing pass through or using a voice vlan then that should be built as well.  The move could be seamless, for the most part but again it just depends on your network.
DanNetwork Engineer


Currently, my workstations and my VoIP phones are DHCP.   Everything else is static,  servers, printers, APs, security cameras, door access control system.

With the internet questions, if I only have 1 circuit and use vlans, that won't provide the same security as if it were a different physical network all together, so I think that would be best.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

atlas_shudderedSr. Network Engineer
The internet and vlan questions are really kind of differentiated from each other.  The big point inside of that is going to be your poison.  Do you want to bridge the two buildings and deal with potential performance problems or do you want to deal with managing two firewalls and potential inter-site challenges.

The short of bridging with regards to vlans is two fold:

1. Do you trust the other facility (not as individuals/groups but network to network/function to function)
2. Are there any legal issues that you could run into given that the second facility is church.
Having vlans and 1 internet source provides the same security, assuming it is setup correctly.  Some might argue more.  As Altas mentioned, if you got with two internet sources, you have two firewalls.  Fine and dandy, I have about 30 on my network. but that said it is more to manage and opens you up for more mistakes, and at the very minimum a larger attack surface, 2 external IP addresses and not 1.

From a redundancy standpoint, I would prefer to see each site have their own internet and still interconnect the offices.  Are the buildings close, ie fiber between or are we talking leased lines?  That could make a difference too.  But if the are close then your internet connections could serve as failover points if a single provider goes down.  Which brings to mind, that ideally I would recommend different providers for each internet as well.
Network Engineer
Multiple VLANs only make sense if you have some form of security device in between the VLANs. And I always try to keep VLANs local to a site. So you will end up with multiple printer VLANs for example.

Are you the only renter of the church or do other people have access as well ? Might want to think of wired 802.1x
DanNetwork Engineer


Currently, we own both buildings, and we don't have any renters.  I'm sure though, that the church building will be rented out.
I can provide a free guest wifi, but if someone uses any of the LAN ports for their laptops, or other devices, then they are directly on my LAN, and that's scary.  I guess if I have 2 different physical networking, 2 ISP circuits, then my security threat is reduced in that sense.  The service would be from the same ISP, so it wouldn't provide any redundancy.
DanNetwork Engineer


Thanks guys for your input

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial