08-09-2013 02:22 AM - edited 03-07-2019 02:50 PM
Hi,
It's the first time I need to design VLAN in a medium network enviroment with several clients and servers + firewall.
The VLAN need is:
DMZ
DHCP HQ clients + HQ servers + HQ printers
IT departement + management interfaces swithes and servers
Logistics departement
So far that is clear, I also assigned several IP's on these vlan's
DMZ 10.0.99.0
DHCP HQ clients + HQ servers + HQ printers 10.1.1.0
IT departement + management interfaces swithes and servers 10.1.2.0
Logistics departement 10.2.1.0
The problem is I don't know this design is good, because people in the logistics departement need to access servers in the HQ VLAN. So I'm afraid this will cause overhead. Bacause between all these VLAN the firewall is the default gateway. So all the traffic from one VLAN to another VLAN go through the router. This means when the logistics departement want to connect to our ERP server, they need to go through the firewall.I'm afraid this will overhead the situation.
So do I need to take the firewall away and config my L3 switch a default route to the firewall? We use Forefront TMG.
I really need some help in this.
08-09-2013 06:56 AM
Your DMZ network should be seperate to your 'Internal' network for a start, i.e it should be on a seperate switch off a seperate port on the Firewall.
Is there a reason your Internal Vlans need to have thier default gateway on the Firewall? Are there access rules in place to prevent one Vlan talking to another?. If not, I would simple have a L3 switch doing intervlan routing and have a default route to the Firewall so the clients can access the internet. Your DMZ would then be on a seperate network, its own switch on its own port on the firewall.
08-09-2013 10:10 AM
The VLAN need is:
DMZ
DHCP HQ clients + HQ servers + HQ printers
IT departement + management interfaces swithes and servers
Logistics departement
So far that is clear, I also assigned several IP's on these vlan's
DMZ 10.0.99.0
DHCP HQ clients + HQ servers + HQ printers 10.1.1.0
IT departement + management interfaces swithes and servers 10.1.2.0
Logistics departement 10.2.1.0
So like the above poster mentioned DMZ should be completely separate and behind the firewall, same with the servers its good to put them behind the firewall as well and they should not be on the same network as DHCP clients and Printers
I would also separate the management network from the IT Department as well.
So something like this:
DMZ 10.0.99.0
DHCP HQ clients 10.1.0.0/24
HQ printers 10.1.1.0/24
HQ servers 10.1.2.0/24
IT departement 10.1.3.0/2
Management interfaces swithes and servers 10.1.200.0/24 (or 10.1.4.0/24 your preference)
Logistics departement 10.1.4.0/24 or 10.1.5.0/24 which is available
08-10-2013 01:16 AM
Thanks for this clear answers. The reason I set my servers in the same vlan's of the client, is because I thought if I seperate them it would generate to much traffic. I set my firewall between all this because I want to filter traffic from one vlan to another. I know this can be done ACL, but that is only IP and not username. Because when an admin log in on a client he can't access the management interfaces. But I can think about this.
But if my switch has a default route to the firewall, is there still a possibility I can filter my traffic to the outside on AD usernames?
08-10-2013 02:27 AM
Dear Friend,
As far as the design is concerned, it seems fine as the firewall must work as a filter for intervlan (Inter department) transfer of packets. DMZ is on a separate vlan from the internal network.
Management interface separation is also a good suggestion but I do not feel it a extreme requirement, as it is already with the people in IT.
As far as the the overhead is concerned, that totally depends on the firewall capability. For a better understanding, please share your bandwidth requirement for certain vlans.
08-11-2013 11:28 PM
Our firewall is: https://www.paloaltonetworks.com/products/platforms/firewalls/pa-500/overview.html
We have an ERP system (Microsoft Dynamics NAV 2013) and in our company everybody works on it. Is it smart to set this in a seperate vlan?
This is something very important set the servers on a different vlan or not? Firewall between or at the end?
I also have a server that need to be reachable from the DMZ and intern. What is the best configuration for this?
08-13-2013 05:49 AM
Can someone help me out?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide