cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
210
Views
5
Helpful
3
Replies
johnny_5
Beginner

VLAN setup for multilpe locations across MPLS

I'm looking at re-segmenting our network and looking for some advice. Basically our network consists of 25 locations that(each with their own file server,DVR,PBX box,Cisco router and 48POE switch).

Our main CORP location houses 95% of the servers and applications that each branch communicate with across MPLS. We are considering setting up a VLAN for user facing servers, VLAN for security department, VLAN for financial information etc. Each location would have its own user VLAN that would allow them to communicate back to the user facing server VLAN. Users and servers are segmented, although our security department has concerns if someone was to run a scan on the user network that would return all of the servers. Is there a better way of segmenting here?

We don't want the case of writing and managing 100's of line of ACL's either...has anybody re-designed or had any experience here?

3 REPLIES 3
mattjones03
Beginner

Hi John,

To bring comfort to your security team and better aid security, it may be more appropriate to place a firewall at your corporate site. The VLANs that you intend to create, would sit behind the firewall.

This can assist with some compliance needs, such as PCI etc.

Additionally, depending on the firewall technologies used etc, you could add more granularity by integrating with Active Directory for per user level control (remote site roaming etc).

Thank you for the recommendation...I should have added that we have the necessary firewall setup already.

As an example we wanted to create 2 VLANs...one for the users and one for the majority of the servers at CORP. Security has concerns about putting everything together and are insisting that we use port based ACLs which will take a lot of time to configure(talk to all the vendors). The reason for putting all the servers together is because there are so many different applications running we would end up with 100's of VLANs if we segmented on that principle alone. Again we will have to implement and manage on the ACL's from scratch.

Are we stuck with having to implement multiple VLANs based on applications? Can AD isolate on a per user basis access to certain servers if on same VLAN?

OK,

That would be somewhat complex to administer as you mention.

I wonder if you could use private VLANs etc

If the traffic was within the same VLAN/Subnet then, no the AD function would not help as traffic would most likely be switched.