Currently we 180 users in my company headoffice.And we have three branch offices on VPN.
My current network design for headofffice is a follows
ISP------------------------>Router--------------->Pix firewall---------------------->Internal network (1 vlan)
I wan t to divide ny internal network with multiple VLans.Please suggest me any Good guide how i make a multiple vlans and terminate these on my pix firewall.
This is a pretty open question.
First questions would be around what you are trying to achieve (some sort of security or segmentation for example)
Anyway, here is a pretty simplistic overview.
Let's say you want to introduce 2 new vlans and subnets - data and voice for example
A pretty standard approach here would be to introduce a layer 3 switch into the internal network behind the PIX. (Of course there are other ways too)
This device could be configured to both segment the network at layer 2 and then provide the layer 3 routing (inter vlan routing) between those networks. For a small network something like a 3750 switch could perform this function.
Very rough example of 3750 style config
! Create the layer 2 vlan's
! Enable IP routing
! Create the layer 3 vlan SVI's / interfaces
interface vlan 101
description *** Data VLAN 101 ***
ip address 10.1.101.0 255.255.255.0
interface vlan 102
description *** Voice VLAN 102 ***
ip address 10.1.102.0 255.255.255.0
! Create default route to pix
ip route 0.0.0.0 0.0.0.0 10.1.101.254
! Assign switch ports to be in the various vlans
description *** PC on data vlan ***
switchport access vlan 101
description *** Phone on voice vlan ***
switchport access vlan 102
description *** PC and Phone - using say a Cisco phone that supports 802.1q ***
switchport access vlan 101
switchport voice vlan 102
Your VPN tunnels may also need to be updated to ensure that the remote sites will encrypt traffic to all of the new subnets on your internal network. i.e. Typically updating ACL's. i.e. summary of 10.1.0.0 / 16 could cover everything behind the pix. You may need to update route on pix as well.
By no means definitive, but maybe it gives you a basic idea.
So if you are trying to design a new network and your trying to create some VLAN's, I would look at it as a Tiered approach. So in a tiered approach your Tier1 are your public facing zones, Tier 2 are your application servers, Tier 3 are your database servers, and Tier 4 would be your back end user systems.
If you want to create a DMZ on your firewall you can create a Layer 2 VLAN only on your switch, and assign your firewalls DMZ interface to the switch on this new layer 2 vlan (lets say vlan 100 for example). Now any device you want in this DMZ assign it to VLAN 100 and these devices are now routed through the firewall. The layer 2 VLAN keeps them all in the same network, but the routing exists on the Firewall. Now you can create a management VLAN that will be used for your inside interface on the firewall (lets say vlan 999) as well as all your other networking devices.
Your Tier 2 devices you can number in any manner but using something say in the 200's would
signify these are Tier 2 zones. You can use these for your application servers, jump servers, SNMP management servers, ect... Follow this pattern for each of your zones.
As for the WAN network it was stated above and I second that your VPN solution would probably be better if you used a DMVPN design on your WAN. This would scale better, provide good security, and allow for better management and implementation of you new remote offices.
I am not sure of any single document that I could reference to put all this in place. Most of designing a network comes from a compilation of different documents, corporate policies, architecture standards, and life lessons. If you want a few documents though here are the ones I would recommend:
VLAN Security Best Practices
Please don't forget to rate any helpful post.
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan
Just to add to the nice Post from Mr Tim
it is recommended ( but not must ) to have the router facing the Internet/WAN for many reasons such as better QoS capabilities, support for routing if required with GRE for example, also in the future you could consider DMVPN to simplify the VPN for remote sites that make it more scalable
from the LAN side if you want to have firewalling between the VLANs then you can have L2 switch with the desired VLANs and configure the Firewall to do the intervlan routing and firewall traffic between these vlans
if no firewalling between the VLANs is needed then just use the aproach suggest by Tim above
Tim good to see you in CSC