Network segmentation
I need to vlan my network and would like some advice of what would be best.
I currently am using a 192.168.100.1/22 network, across all my switches.
I do have another network for my cameras and door access, but for my primary LAN, everything is on vlan1, which is not good.
So I have a building with 3 floors, about 75ftx120ft per floor. There's a total of about 80 computers, 80 SIP phones, 35 servers, 30 printers, and I already segmented my wifi into it's own network, so that one is done.
I was depending on either creating the VLANs per floor, per category, like PCs, Servers, SIPphones, etc... or by department?
What would be the best method. IT would be easiest to just vlan by floor, servers and wifi and be done, but not sure if that's the best,
Any recommendations?
I currently am using a 192.168.100.1/22 network, across all my switches.
I do have another network for my cameras and door access, but for my primary LAN, everything is on vlan1, which is not good.
So I have a building with 3 floors, about 75ftx120ft per floor. There's a total of about 80 computers, 80 SIP phones, 35 servers, 30 printers, and I already segmented my wifi into it's own network, so that one is done.
I was depending on either creating the VLANs per floor, per category, like PCs, Servers, SIPphones, etc... or by department?
What would be the best method. IT would be easiest to just vlan by floor, servers and wifi and be done, but not sure if that's the best,
Any recommendations?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the input so far.
I am using a cisco 3850 as my core switch, L3, doing static routing only. I am not using an routed protocols.
I currently have a Sophos firewall, but am replacing it with a PA firewall in the coming weeks or so.
I plan to just continue using the cisco 3850, my core switch in place, as main reason for segmenting the network is to reduce my broadcast traffic. It's not really for security reasons, as most or all computers will need to access my servers and printers, and also my LAN wifi. My SIP phones need to access my PBX server, which is a VM.
I do have a problem where some computers and phones are using the same network port, so I'm not exactly sure what I'm going to do there, as I know that 1 port can only be on 1 VLAN, so I think I need to enable the voice VLAN or something, I need to do more research in this?
So basically, I have hundreds of devices on a /22 network and I just have way to much broadcast traffic.
I even had a really weird network issue where my yealink SIP phones was causing random computers on the network to drop internet traffic for about 30 seconds randomly throughout the day. It was so frustrating until I figured out the problem. As soon as I removed the conference phone from production, my issue went away.
So far, perhaps it looks like the best way to segment is by device type. Any one else wants to provide any more input, it would be greatly appreciated.
I am using a cisco 3850 as my core switch, L3, doing static routing only. I am not using an routed protocols.
I currently have a Sophos firewall, but am replacing it with a PA firewall in the coming weeks or so.
I plan to just continue using the cisco 3850, my core switch in place, as main reason for segmenting the network is to reduce my broadcast traffic. It's not really for security reasons, as most or all computers will need to access my servers and printers, and also my LAN wifi. My SIP phones need to access my PBX server, which is a VM.
I do have a problem where some computers and phones are using the same network port, so I'm not exactly sure what I'm going to do there, as I know that 1 port can only be on 1 VLAN, so I think I need to enable the voice VLAN or something, I need to do more research in this?
So basically, I have hundreds of devices on a /22 network and I just have way to much broadcast traffic.
I even had a really weird network issue where my yealink SIP phones was causing random computers on the network to drop internet traffic for about 30 seconds randomly throughout the day. It was so frustrating until I figured out the problem. As soon as I removed the conference phone from production, my issue went away.
So far, perhaps it looks like the best way to segment is by device type. Any one else wants to provide any more input, it would be greatly appreciated.
You just need to add voice VLAN to your switch interface and the phone will go on the voice VLAN, and the other devices will go on the access vlan for that port. It is 1 line of configuration per switch port interface.
You are getting a Palo Alto, so why not start segmenting for improved security and logging? Even if you have a rule to permit traffic from PC segment to server segment, the visibility from the traffic logs and the ability to stop threat traffic (assuming you have the threat license) is an important improvement in security. For example, Palo Alto just released detection signature for the PrinterNightmare exploit. The firewall will block it, even if you haven't patched. The firewall can only block it if it sees it.
You are getting a Palo Alto, so why not start segmenting for improved security and logging? Even if you have a rule to permit traffic from PC segment to server segment, the visibility from the traffic logs and the ability to stop threat traffic (assuming you have the threat license) is an important improvement in security. For example, Palo Alto just released detection signature for the PrinterNightmare exploit. The firewall will block it, even if you haven't patched. The firewall can only block it if it sees it.
Your printers don't need Internet access, so don't give it to them.
ASKER
Kevinhsieh, here's a high level diagram of my network. The internal network after the core switch is a lot bigger, I just drew2 switches for context. So I will have my firewalls in an Active/Passive configuration, so my core switch does the "routing" The only traffic that will go to the firewall is internet traffic or any other traffic the core switch does not have configured. So I'm not sure how to configure the network as you suggested, with the firewall routing the traffic instead of my core switch. Isn't it best practice to have a core switch doing the routing, instead of the firewall?
You might want to enable dynamic routing between the firewall and the switch.
As an aside, you should plan your firewall to use aggregate interfaces, even if you use only 1 link between the firewall and the switch. It makes it easier to upgrade to a different Palo Alto in the future. I just replaced my Palo Alto 2 weeks ago, and having everything on aggregate interface made it a breeze when my physical interfaces went from 23 and 24 to 19 and 20.
Moving your VLAN 20 to the firewall is easy. Create a L3 subinterface on the firewall. Assign it the IP address that you use for the gateway. Also configure DHCP or DHCP relay. Remove the IP address from interface Vlan20 on your switch, or delete the L3 VLAN completely. You need to be using a tagged trunk connection between the Cisco switch and the firewall.
Best performance would be to have the switch doing the routing, since that is wire speed. Best security is to have the firewall do routing. SIP phones and printers don't take much bandwidth, so the security/performance tradeoff leans heavily toward putting it on the firewall. I probably wouldn't put storage or backup traffic through the firewall, unless you have very beefy firewalls. I know of companies that run NFS traffic between their VM hosts and NAS filers through their firewalls, so it can be done.
As an aside, you should plan your firewall to use aggregate interfaces, even if you use only 1 link between the firewall and the switch. It makes it easier to upgrade to a different Palo Alto in the future. I just replaced my Palo Alto 2 weeks ago, and having everything on aggregate interface made it a breeze when my physical interfaces went from 23 and 24 to 19 and 20.
Moving your VLAN 20 to the firewall is easy. Create a L3 subinterface on the firewall. Assign it the IP address that you use for the gateway. Also configure DHCP or DHCP relay. Remove the IP address from interface Vlan20 on your switch, or delete the L3 VLAN completely. You need to be using a tagged trunk connection between the Cisco switch and the firewall.
Best performance would be to have the switch doing the routing, since that is wire speed. Best security is to have the firewall do routing. SIP phones and printers don't take much bandwidth, so the security/performance tradeoff leans heavily toward putting it on the firewall. I probably wouldn't put storage or backup traffic through the firewall, unless you have very beefy firewalls. I know of companies that run NFS traffic between their VM hosts and NAS filers through their firewalls, so it can be done.
ASKER
Thanks, a lot to chew on. when you mean aggregate interfaces, is that like etherchannel on a switch?
So basically have two connections from firewall to the switch, just like I do for all my switches. So 95% of all my switches, I do have etherchannel, so I have 2 connections from each switch stack back to the core. You're suggesting I do the same with the firewall as well?
So basically have two connections from firewall to the switch, just like I do for all my switches. So 95% of all my switches, I do have etherchannel, so I have 2 connections from each switch stack back to the core. You're suggesting I do the same with the firewall as well?
Yes, even if you only have 1 physical interface to the switch. The reason is that it provides abstraction between the physical interface and the L3 interfaces. I have over 100 L3 sub interfaces on my firewall. Major hassle if I needed to redo them. I am also at the scale where I have redundant physical switches, so I needed aggregate Ethernet so I can connect to both switches at once.
If you are using 1G Ethernet to the firewall, and the firewall is capable of 3 Gbps of throughput, then using multiple 1G links lets you get more total throughput.
If you are using 1G Ethernet to the firewall, and the firewall is capable of 3 Gbps of throughput, then using multiple 1G links lets you get more total throughput.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, I probably should check all my printers. The hard part comes in with all the computers.
I don't have time to go to each computer and turn off each protocol. I guess long term, that would be good to do.
I don't have time to go to each computer and turn off each protocol. I guess long term, that would be good to do.
ASKER
We got the PA460, so I don't think it can do more than 2Gbps for the firewall throughput, I would have to check the specs, but it would provide redundancy. That's the reason we bought 2, and will be using them in an active/passive environment, if one fails, the other will instantly work.
The computers are mainly not the problem, they use the NIC, means Ethernet.
The problem are usually devices, which are connected to computers.
Mostly printers, but possibly also other uPNP devices.
Just start with the printers an see, what is left over.
I have only two devices in my network (two doorbells), which are not capable to switch all the protocols off.
The problem are usually devices, which are connected to computers.
Mostly printers, but possibly also other uPNP devices.
Just start with the printers an see, what is left over.
I have only two devices in my network (two doorbells), which are not capable to switch all the protocols off.
Your firewall can do up to 5.2 Gbps of firewall throughput, and 2.6 Gbps of threat prevention throughput.
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/datasheets/pa-400-series
You should connect at least 4 interfaces from each firewall to your main switch(es).
Put the printers on their own VLAN, and then there's less concern about all of the protocols they're running.
Workstations will likely only run TCP/IP, but you can turn off services with group policy.
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/datasheets/pa-400-series
You should connect at least 4 interfaces from each firewall to your main switch(es).
Put the printers on their own VLAN, and then there's less concern about all of the protocols they're running.
Workstations will likely only run TCP/IP, but you can turn off services with group policy.
I'm more a friend of switching off things which I don't use rather than to construct something to isolate something, what doesn't neccessarily need to be isolated and what makes the things more complicate as they have to be.
Doesn't matter in which VLAN all the protocols are talking together, they produce just senseless traffic.
To isolate then just means, the firewall between the VLAN blocks the traffic. But it still exists.
But possibly my personal opinion.
Doesn't matter in which VLAN all the protocols are talking together, they produce just senseless traffic.
To isolate then just means, the firewall between the VLAN blocks the traffic. But it still exists.
But possibly my personal opinion.
ASKER
all opinions are welcome. gives me more to think about.
The segmentation is usually driven either by visibility or by bandwidth. Or both.
VLans are (by default) not visible to each other. They have to be routed. This can be a reason to physically devide a network into several segment to be able to control, who can communicate with others. So a segmentation by floor doesn't really make sense to me. It makes the construction just more complicate.
A segmentation by security reasons can have more sense if you do not want that all people from one part should see everything on the other part. The router between the segments decide, what traffic is allowed and what not.
A more commen reason for a segmentation is bandwidth or better service related. With QoS you can i.e reserve bandwith for voice communications while data traffic has its own settings. This way you can use one VLAN only for communication purposes with a dedicated bandwidth while data traffic uses its own VLan and can not disturb the voice communication.
You can also use QoS inside a single VLAN, but separation is a common way for such services.
Another reason for segmentation is the service availability. So if you do not want that one group is using services of another group, you can separate the networks and block such traffic between the VLANs. A common example is DHCP as not so quite easy to control. But also other service may be a reason.
So, the major question is, what your reasons are to built up several VLANs. As you need routers between them, VLANs may produce more effort than to have everything inside one network. Also routers involve into the traffic, you produce overhead via the routers.
The reasons you have is the major decision, how the segmentation is organized.