Avatar of Dan
Dan
Flag for United States of America asked on

Network Design

I'm currently using a /22 address space, 192.168.100.x with a flat network, everything in one vlan. I know that's not good, so I want to change it.   We will be moving to a new facility in about 6 months, a bigger building with 3 floors, currently we have 1 floor.  There will be different buildings, so I'm debating about having two separate internet circuits for each building, or if I should just have both buildings under one internet circuit. The 2nd building is a church, so I'm thinking it might be wiser to have two different physical networks, for security.

I've done some research online, but wanted to see what is best practice when creating vlans?  Do I create vlans by department, or by security boundaries, etc...  I'm still trying to figure that out.  Plus, I think it might be best to configure my existing network with all the vlans that I want to create for the new facility, so I don't want to try to completely reconfigure my network during the move, as it would be a nightmare, right?

I have about 90 computers (PCs and Macs), 80 VoIP phones, 28 servers, 13 APs,  15 network printers,  at least 75 or so smartphones/laptops/tablets on the network in any given day.
I currently

Any input would be greatly appreciated
NetworkingNetwork ManagementSecurityNetwork Architecture

Avatar of undefined
Last Comment
Dan

8/22/2022 - Mon
atlas_shuddered

Generally VLANs are defined by common boundary meaning, hosts sharing common attributes or trust are pooled within a common vlan.  A good example of this is the use of a voice vlan  or a Finance vlan, or the segregation of a particular type or group of apps together inside a common vlan (think web services or email or file servers).  These boundary definitions vary from one organization to another and there really is no best practice of what to lump with what.  There are some general standards and based on what you have posted above, I would build in that direct as follows:

1. Workstations and Printers
2. VoIP phones
3. Servers
4. Wireless (Trusted and BYOD SSIDs)

That said, it isn't a blanket statement either.  You need to review your org and determine if there is a need to divide by team/group/dept.  One other additional "best practice" to take note of, is that we generally segregate to network scopes/broadcast domains below 256 hosts, so that may be useful in your design as well.

Hope that helps
Bryant Schaper

I agree with atlas on this.  Based on what you provided I would probably break my VLANS down a similar path:

1. Servers
2. Voice
3. Workstations/Printers
4. Access Points
5. Wireless/BYOD (this may be even further broken down depending on what is on the network, ie guest devices and internal devices using wifi.)

As for internet, well four may be better than two, but I don't know what the campus looks like.  You could share the same internet as easy.

Lastly when to implement comes again down to design, is everything DHCP now, then it is just a matter of getting the right vlans in place and ports configured.  If your phones are providing pass through or using a voice vlan then that should be built as well.  The move could be seamless, for the most part but again it just depends on your network.
Dan

ASKER
Currently, my workstations and my VoIP phones are DHCP.   Everything else is static,  servers, printers, APs, security cameras, door access control system.

With the internet questions, if I only have 1 circuit and use vlans, that won't provide the same security as if it were a different physical network all together, so I think that would be best.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SOLUTION
atlas_shuddered

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dan

ASKER
Currently, we own both buildings, and we don't have any renters.  I'm sure though, that the church building will be rented out.
I can provide a free guest wifi, but if someone uses any of the LAN ports for their laptops, or other devices, then they are directly on my LAN, and that's scary.  I guess if I have 2 different physical networking, 2 ISP circuits, then my security threat is reduced in that sense.  The service would be from the same ISP, so it wouldn't provide any redundancy.
Dan

ASKER
Thanks guys for your input