Network Design and ACL

silentsigma · ‎09-18-2017

hey guys,

So I'm task with designing the schema for a new building with multiple floors (6 floors) 400 - 1000 users. I was wondering how is everyone segmenting/designing their vlan/subnet. Do you guys do it by wiring closet/floor or by department from a security and networking aspect?

the topology is access switches with layer 2 uplinks to two core nexus 9k switches.

example
wiring closet/Floor

IDF/Floor 1 Data = 10.0.1.0/24
IDF/Floor 1 Voice = 10.0.65./24

IDF/Floor 2 Data = 10.0.2.0/24
IDF/Floor 2 Voice = 10.0.66.0/24

IDF/Floor 3 Data = 10.0.3.0/24
IDF/Floor 3 Voice = 10.0.67.0/24
etc.

Wireless = 10.0.128.0/23
Guest Wireless = 10.0.130.0/23

Example of Department

IT data = 10.0.1.0/24
HR data = 10.0.2.0/24
Finance data = 10.0.3.0/24
etc.

Voice = 10.0.64.0/23

Wireless = 10.0.128.0/23
Guest Wireless = 10.0.130.0/23

Also, Do you guys ACL on the vlan/subnet interface? My security guy wants to do it by department and ACL everything they needs access to. This seem to be a very manual way of doing it and has lots of overhead.

example
IT data has access to everything
HR data has access to HR servers and internet.
etc.

All network design I have read did it by wiring closet/floor where multiple departments uses the same vlan/subnet. But, with this way, there isn't a good way to ACL that vlan/subnet.

Thanks in advance

chrihussey · ‎09-19-2017

Doing it by department has its distinct advantages especially if there is the requirement to control access as you have explained. However, that is much easier said than done as there is the simple logistical problem that nobody really pays attention to.

Unless there are provisions made to cable the drops to the closet in a clear and concise way to identify and separate the them based on suites / departments it could be difficult to manage the switch and assign ports to the appropriate VLANs. It gets even more difficult as things change, personnel gets moved or departments expand. Aside from the switch management, the cable management in the closet usually suffers and it quickly degrades into a cabling mess. I've never done it, but if doing it based on department you may want to look into dynamic VLAN membership. More work up front, but may keep the IT closet cleaner and orderly:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/vmps.html

Finally, assigning subnets by floor is by far the easiest to work with as long as it works with your security needs.

Hope this is of some help.

silentsigma · ‎09-19-2017

Yeah, it doesn't seem like there is one answer. I kind of just want to know what everyone else network is segment by. The security guy want it by deparment because it is more secure, and he doesn't know how much easier/scalable/managable the other way is.

chrihussey · ‎09-20-2017

Just thinking about this. Might be a middle ground in that you assign networks by floor and the departments that need the security measures get their own networks. Sort of a combination of the two.

Hope things work out for you.

Packet Herder7 · ‎10-03-2017

There really is no "easy" answer except "best practice" based on what your company's needs might be.

Having said that, I would encourage VLANs by department/device/function since it is much easier to address when/of the department grows or moves.

I do not know whether you are Layer 3 or Layer 2 to the closets, nor do I know what your Core switches are.

Other things to consider...placing printers in their own VLANs. Placing any IoT devices on their own VLANs. And yes, ACLs on VLANs obviously if you are Layer 2 to the closets. Determine what needs to talk to what, on what ports, etc. Can be tedious at the beginning but remember to document everything. Then/if a department moves you can adjust.

Would recommend hanging out of at reddit networking section as well. Helpful (and fast) answers there as well.

qtang · ‎10-04-2017

ok cool thanks. I'll try out redditt to get some more input