Link to home
Start Free TrialLog in
Avatar of Dan
DanFlag for United States of America

asked on

best way to vlan my network?

Im working on segmenting my network into different vlans, and I'm going to create vlans for network devices, servers, PC/printers, phones, wifi, cameras, etc...

I'm also debating whether I should also further vlan my departments into different vlans, or just leave all computers together.  Most of the vlans will need to talk to each other, like phones will need to talk to the servers vlan and the comptuers vlan as we have a phone softclient that directly communicates with the phones and the server.  I'm trying to weigh between security and convenience.


So I don't want to add to much complexity, but just wanting to get different viewpoints of what would be the best method.  We have about 95 employees, so about 90 computers, 90 phones, 35 servers, UPSs, etc.... in total, I have about 350 or 400 network devices.


I am mostly running cisco 2960x's, a few 3850's and a few 2960S's.

Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image
sounds a bit like my environment but a few less devices...
what I did was carve out several vLANs - one for clients, one for servers, one for science lab, one for phones, 2 for wifi (one for users and another for guest)
then only allow what traffic it needs.  allow the phone vLAN to only talk to the voip server, guest wifi would only have internet access and server access on udp/53 (for dns) - (or block it all and have external dns configured in the dhcp scope), have another one for cameras, UPS, etc.
for that size environment, that should be sufficient; breaking down further by department would be a bit too complex to manage
use a least-privilege approach and only allow the networks and ports to talk to each other that need to
Avatar of noci
noci
VLANs are great for separating traffic.
So first divide the notwork in pieces that should not be mixed... due to function (guest / employees, special aspects for technical demands latency, bandwidth, frame sizes).
Like:
Public Internet
DMZ Guests
DMZ Employees
WiFi Guest
Wifi Employees
Security related (cameras etc.)  - might have special requirements like backup power foor all equipment, latency, bandwidth
Phone (special requirements wrt. latency)
Server
Storage devices (SAN/NAS)  - using Jumbo frames f.e. (= special requirement)

And then use firewalls / routers to separate the traffic. or pass on the traffic.

Avatar of Dan
Dan
Flag of United States of America image

ASKER

My list of vlans are as follows so far:
network  (swithces, firewall, etc...)
servers   (all servers)
computers  (all computers)
phones  (all sip phones)
Media  (all media devices)
WifiLAN    (wifi bridged to our LAN)
WifiGuest   (guest wifi)
WifiAPs    (all my APs would be on this vlan)
cameras     (all cameras)
Printers   (all printers)
Misc      (misc vlan for all other devices)

So my director suggested that we have vlans per department, and having the dept. phones, PCs and printers all on the same vlan, so it can make things easy for management.

Any suggestions if that's a good/bad idea?
SOLUTION
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of noci
noci
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial