Avatar of Dan
Flag for United States of America asked on

best way to vlan my network?

Im working on segmenting my network into different vlans, and I'm going to create vlans for network devices, servers, PC/printers, phones, wifi, cameras, etc...

I'm also debating whether I should also further vlan my departments into different vlans, or just leave all computers together.  Most of the vlans will need to talk to each other, like phones will need to talk to the servers vlan and the comptuers vlan as we have a phone softclient that directly communicates with the phones and the server.  I'm trying to weigh between security and convenience.

So I don't want to add to much complexity, but just wanting to get different viewpoints of what would be the best method.  We have about 95 employees, so about 90 computers, 90 phones, 35 servers, UPSs, etc.... in total, I have about 350 or 400 network devices.

I am mostly running cisco 2960x's, a few 3850's and a few 2960S's.

NetworkingSwitches / HubsNetworking Hardware-Other

Avatar of undefined
Last Comment

8/22/2022 - Mon
Seth Simmons

sounds a bit like my environment but a few less devices...
what I did was carve out several vLANs - one for clients, one for servers, one for science lab, one for phones, 2 for wifi (one for users and another for guest)
then only allow what traffic it needs.  allow the phone vLAN to only talk to the voip server, guest wifi would only have internet access and server access on udp/53 (for dns) - (or block it all and have external dns configured in the dhcp scope), have another one for cameras, UPS, etc.
for that size environment, that should be sufficient; breaking down further by department would be a bit too complex to manage
use a least-privilege approach and only allow the networks and ports to talk to each other that need to

VLANs are great for separating traffic.
So first divide the notwork in pieces that should not be mixed... due to function (guest / employees, special aspects for technical demands latency, bandwidth, frame sizes).
Public Internet
DMZ Guests
DMZ Employees
WiFi Guest
Wifi Employees
Security related (cameras etc.)  - might have special requirements like backup power foor all equipment, latency, bandwidth
Phone (special requirements wrt. latency)
Storage devices (SAN/NAS)  - using Jumbo frames f.e. (= special requirement)

And then use firewalls / routers to separate the traffic. or pass on the traffic.


My list of vlans are as follows so far:
network  (swithces, firewall, etc...)
servers   (all servers)
computers  (all computers)
phones  (all sip phones)
Media  (all media devices)
WifiLAN    (wifi bridged to our LAN)
WifiGuest   (guest wifi)
WifiAPs    (all my APs would be on this vlan)
cameras     (all cameras)
Printers   (all printers)
Misc      (misc vlan for all other devices)

So my director suggested that we have vlans per department, and having the dept. phones, PCs and printers all on the same vlan, so it can make things easy for management.

Any suggestions if that's a good/bad idea?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Seth Simmons

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.