We help IT Professionals succeed at work.

Network Design

205 Views
Last Modified: 2019-03-28
I'm currently using a /22 address space, 192.168.100.x with a flat network, everything in one vlan. I know that's not good, so I want to change it.   We will be moving to a new facility in about 6 months, a bigger building with 3 floors, currently we have 1 floor.  There will be different buildings, so I'm debating about having two separate internet circuits for each building, or if I should just have both buildings under one internet circuit. The 2nd building is a church, so I'm thinking it might be wiser to have two different physical networks, for security.

I've done some research online, but wanted to see what is best practice when creating vlans?  Do I create vlans by department, or by security boundaries, etc...  I'm still trying to figure that out.  Plus, I think it might be best to configure my existing network with all the vlans that I want to create for the new facility, so I don't want to try to completely reconfigure my network during the move, as it would be a nightmare, right?

I have about 90 computers (PCs and Macs), 80 VoIP phones, 28 servers, 13 APs,  15 network printers,  at least 75 or so smartphones/laptops/tablets on the network in any given day.
I currently

Any input would be greatly appreciated
Comment
Watch Question

atlas_shudderedSr. Network Engineer
CERTIFIED EXPERT

Commented:
Generally VLANs are defined by common boundary meaning, hosts sharing common attributes or trust are pooled within a common vlan.  A good example of this is the use of a voice vlan  or a Finance vlan, or the segregation of a particular type or group of apps together inside a common vlan (think web services or email or file servers).  These boundary definitions vary from one organization to another and there really is no best practice of what to lump with what.  There are some general standards and based on what you have posted above, I would build in that direct as follows:

1. Workstations and Printers
2. VoIP phones
3. Servers
4. Wireless (Trusted and BYOD SSIDs)

That said, it isn't a blanket statement either.  You need to review your org and determine if there is a need to divide by team/group/dept.  One other additional "best practice" to take note of, is that we generally segregate to network scopes/broadcast domains below 256 hosts, so that may be useful in your design as well.

Hope that helps
CERTIFIED EXPERT

Commented:
I agree with atlas on this.  Based on what you provided I would probably break my VLANS down a similar path:

1. Servers
2. Voice
3. Workstations/Printers
4. Access Points
5. Wireless/BYOD (this may be even further broken down depending on what is on the network, ie guest devices and internal devices using wifi.)

As for internet, well four may be better than two, but I don't know what the campus looks like.  You could share the same internet as easy.

Lastly when to implement comes again down to design, is everything DHCP now, then it is just a matter of getting the right vlans in place and ports configured.  If your phones are providing pass through or using a voice vlan then that should be built as well.  The move could be seamless, for the most part but again it just depends on your network.
DanNetwork Engineer

Author

Commented:
Currently, my workstations and my VoIP phones are DHCP.   Everything else is static,  servers, printers, APs, security cameras, door access control system.

With the internet questions, if I only have 1 circuit and use vlans, that won't provide the same security as if it were a different physical network all together, so I think that would be best.
atlas_shudderedSr. Network Engineer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Network Engineer
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
DanNetwork Engineer

Author

Commented:
Currently, we own both buildings, and we don't have any renters.  I'm sure though, that the church building will be rented out.
I can provide a free guest wifi, but if someone uses any of the LAN ports for their laptops, or other devices, then they are directly on my LAN, and that's scary.  I guess if I have 2 different physical networking, 2 ISP circuits, then my security threat is reduced in that sense.  The service would be from the same ISP, so it wouldn't provide any redundancy.
DanNetwork Engineer

Author

Commented:
Thanks guys for your input

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.