08-08-2011 07:56 AM - edited 03-07-2019 01:35 AM
Hello guys,
I have network design question here on my network.
My network has grown bigger in recent years and I am now thinking of segmenting it department wise i.e. HR, SALES, Accounting, IT, Servers, Printers etc...
no computers from each department should be able to access other department computers except servers vlan and printer vlans, IT vlan should be able to access all vlans but no vlan should be able to access PCs in IT vlan.
We have one DHCP server on Win08 server and that should be able to give lease to all the PCs in the company. we have two DNS and DCs at the same site and they should be able to talk to all the PCs in the company (LDAP and DNS traffic)
Looking at this what should be my best option? is it VLANs? or PVLAN?
couple of question I have here is,
I am more confused in to how does this PVLAN information will get replicated to other switches on my network? I have about 8 switches scattered at different locations in the same building.
If you look at the attached picture I have two switches, SW1 is layer 3 switch.
I want all the segment in the picture to be able to talk to servers and printers segment. I want Eng segment which is scattered on both switches should be able to talk to members in it. I also want to create separate segment for wireless networking, so that visitors accessing this segment does not interfere with the other Members on the network and possibly restrict virus spread from visitors laptop. all the members should be able to go to internet through the router.
I know this a kind of common config for SMBs, there will be many of you who have done it, I am looking for your tips.
Please help,
Thanks a lot
08-08-2011 08:03 AM
PVLANs are not shared between switches so you would have to create the policy on each switch. With only two switches that is not that big of a deal. I like PVLANs and the have their place. I like that you're being security minded, but PVLANs may be overkill here. My personal suggestion is to create a VLAN for each BU and use an ACL to control traffic. Troubleshooting and administration will be easier.
08-08-2011 08:52 AM
Thanks Collin for Reply.
OK so if I choose VLAN for each BU I have couple of q's
looking at the picture I originally attached and if I use Cisco switches how should I do the following
1, allow all the departments to access servers and printer VLANs,
2, allow IT vlan to access all vlans but other vlans should not access PCs on IT vlan
3, how to allow communication between PC's that is in the ENG department to communicate with each other considering that they are on separate switches
4, how can I create one separate VLAN for wireless access, this vlan should only access internet and printers vlan
5, how DHCP server will lease IP adds to all the PCs on each vlans
6, should Active directory traffic be OK accross all vlans (ldap and dns)
I am doing this first time so many questions here, please bare with me.
08-08-2011 09:16 AM
Ask as many questions as you like, that's how we all learn.
I created a quick doc (forgive the errors) so you may want to review it for reference.
1, allow all the departments to access servers and printer VLANs,
Use an ACL, see the example. You simply permit the protocols you want allowed in & out and block the rest
2, allow IT vlan to access all vlans but other vlans should not access PCs on IT vlan
Use an ACL, see the example. You simply permit the protocols you want allowed in & out and block the rest
3, how to allow communication between PC's that is in the ENG department to communicate with each other considering that they are on separate switches
You can share VLANs between switches. You would configure a trunk between the two switches. This trunk carries all the VLANs between the switches so they communicate like they are on one switch.
4, how can I create one separate VLAN for wireless access, this vlan should only access internet and printers vlan
Just create another VLAN and apply the ACL
5, how DHCP server will lease IP adds to all the PCs on each vlans
Use an ACL, see the example. You simply permit the protocols you want allowed in & out and block the rest
6, should Active directory traffic be OK accross all vlans (ldap and dns)
Yes. MS can be a pain though because a bunch of their protocols use dynamic ports. You can permit all ports between 2 servers easily whil restricting or blocking others.
Please keep asking questions!
The following example just shows the ACL for the IT Dept. Each VLAN would have something similiar applied to the VLAN interface.
08-08-2011 11:35 AM
Great help Collin,
now as expected I have few more questions,
So first I setup VLANs and give ip address to each vlans for repective BUs and configure routing at vlan level and at global level with the use of IP ROUTING command, this should enable routing accross all VLANs right?
Your suggestion I guess was to enable routing between all VLANs and then restrict traffic using ACL? am I right?
if that is the case can you shed some light on how to use and configure ACLs? I mean where to apply on VLANs is it at VLAN level or global level? I have just learn about configuring VLANs but still naive with ACL, do you have any training video or article on ACL or explanation?
Second thing I am trying to do is setup wireless VLAN, how can I achive this?
So far my understanding is just create one VLAN with only one port from the switch and connect this port to wireless device (cisco access point) and then allow access to only printer vlan and access to default gateway to access internet, is this a correct way to do it?
Collin, do you have any material on how to setup wireless network using Cisco access point? this project may come up soon with my company and I want to be prepared. basically our facility is large multifloor building and if I setup wireless access across the floors how to proceed?
08-08-2011 11:53 AM
As far as routing is concerned, you will need the layer 3 services IOS to route. If you post a "show version" I can tell if you have it or not. But here is the good part; because all your VLAN's are on the same switch, you don't need to route. The switch has a local routing table (even if routing is not enabled) and since all the VLANs are directly connected, the switch knows where each subnet is.
Your suggestion I guess was to enable routing between all VLANs and then restrict traffic using ACL? am I right?
Yes you are correct. That's a great way to learn. Create a VLAN, assign the VLAN an IP address (which will become the default gateway of your client. Then put a PC on the VLAN with an IP the same as the VLAN default gateway. You should be able to hit your servers. Then start playing with ACL's on that test VLAN interface. The only thing you will break is the test VLAN. ACLs are applied to interfaces, typically at the layer 3 boundary. You can apply them inbound or outbound directions. Make sure you name them so you can easily identitfy them. Something like ENG_INBOUND and ENG_OUTBOUND.
So far my understanding is just create one VLAN with only one port from the switch and connect this port to wireless device (cisco access point) and then allow access to only printer vlan and access to default gateway to access internet, is this a correct way to do it?
With wireless, you'll be doing the same thing. Create a VLAN, give it an IP and create ACL's and apply to interfaces. If you have more than one access point, then each port that an access point is plugged into would need to be put into the wireless VLAN.
What kind of AP do you have? Do you a controller or does each access point run all by itself? I can help you with the wireless too, but lets worry about that after this OK?
There are two really good books on ACL's, my favorite is the first one. You can probably get it cheap at any used bookstore or the library.
08-08-2011 12:50 PM
Collin, I am planning to get layer three switches, right now we have all layer two switches but we are going to perform network upgrade soon and also segment traffic. we also be doing voip so considering that what model you suggest? altogather we have about 300 nodes requirement.
you said "because all your VLAN's are on the same switch, you don't need to route" but we have 8 switches right now.
You said "The switch has a local routing table (even if routing is not enabled) and since all the VLANs are directly connected, the switch knows where each subnet is" Does that means on layer 3 switch no need to do any routing at interface and global level? as it comes with it. so if I setup VLANs with the switch 1 is it possible to replicate changes on all 8 switches?
Right now only wireless device I have is two linksys wireless routers. connected on two different floors with the different switches with access to whole network. I would love to prepare my self with wireless network setup both design and configuration if you guide me, if I have two floor building with about 1000 meters wide, how can I start designing wireless? should I put one access point connected from separate vlan port and then next access point from same vlan at some distance away so I get full coverage of the whole floor and then do same thing on the next floor, connect access point from the same vlan ports?
Thanks for the book links.
08-08-2011 01:27 PM
I hope I can explain this well. You have two options; the first is that all 8 switches are connected at layer 2 with trunking. Only one switch would need layer 3 services to host the VLAN IP's. Your other option, since you will have the IOS to do it, is to ROUTE between your switches. If that is the case, the VLANs cannot be shared across the switches like in the layer 2 design. Each has its advantages and disadvantages. Either one will work in your situation, it's a matter of which way you prefer. VoIP & wireless will both work just fine in either model. Creating the ACL's on the VLAN interfaces will be much easier on the layer 2 model and that is the way I would suggest you go.
You said "The switch has a local routing table (even if routing is not enabled) and since all the VLANs are directly connected, the switch knows where each subnet is" Does that means on layer 3 switch no need to do any routing at interface and global level? as it comes with it. so if I setup VLANs with the switch 1 is it possible to replicate changes on all 8 switches?
Correct you do not need to enable routing on the one layer 3 switch that has all the VLAN's IP's. On the other 8 switches you only have layer 2 VLAN's, no layer 3 interfaces. You can run VTP which shares the VLANs automagically across all the other switches.
I think I understand your confusion about routing so I'll see if I can explain it. With the design we are talking about, 1 switch, we'll call it CORE1, hosts all the VLAN layer 3 interfaces. All the other switches only have layer 2 VLAN information. Those VLAN's are then shared across all switches. Now let's assume that you introduce a new switch into the network, CORE2. You move some of the layer 3 VLAN interfaces from CORE1 to CORE2. Now you need a routing protocol because not all the layer 3 interfaces are directly connected. Routing is used when a layer 3 device needs to learn about other remote networks. In your case there are no other networks, they are all on one switch. Does that make sense?
Here's a further explanation on VLANs across multiple switches. To keep it simple lets say we have two switches, ACCESS1 and ACCESS3. ACCESS1 contains all our layer 3 VLAN interfaces. It also has all the layer 2 VLAN information (it has to). We have 3 VLANs on each switch; ENG (vlan 10), SERVER (vlan 11), WIRELESS (vlan 11). Both switches must have the same VLAN number, but the names can be different (functionally the names don't matter, but keep them the same for troublshooting purposes). So we have vlan 10, 11, and 12 on both switches. We now need to connect the two switches. We plug a cable in between them and configure each port respectively to be trunk ports. Trunk ports can carry multiple VLANs across by using a special tag. So we have the trunk setup and all the layer 2 VLANs configured. Next we create the layer 3 interfaces for VLAN 10, 11 , & 12 on ACCESS1. ACCESS3 has no and needs no layer 3 information on it. We now plug in a user in ACCESS3 and configure their port to be in the ENG VLAN. When they want to send data to a server, the layer 2 path goes like this: the traffic enters the ACCESS3 switchport, gets tagged with VLAN 10 then goes across the trunk to ACCESS1 switch. ACCESS1 says, "Do I know where the server VLAN is? Yes I do,it's directly connected to me and it's VLAN 11, I'll send the traffic to the port the server is on and in VLAN 11."
08-09-2011 06:22 AM
Great help Collin,
I now got the very good understanding of how this is going to work for me, I have taken the same example from your reply and draw the diagram below with the subnet range. if I want all vlans to access server vlan and printer vlan, wireless vlan to access internet and printer vlan, eng vlan should be able to talk to members inside on both switches and I forgot one more vlan in the picture suppose there is IT vlan with subnet range 10.14.0.0/24, this IT vlan should be able to access all vlans but other vlan shuuld not be able to access IT vlan.if I have to do this what would be the configuration like on the switches?
I think I got the design concept right but now need help with configuration, is there any other tool you recommed where I can learn this, like simulation if I don't have actual hardware?
08-09-2011 06:39 AM
Example config of the VLAN interfaces
interface Vlan13
description Printer VLAN
ip address 10.10.0.254 255.255.255.0
ip helper-address [your DHCP server]
ip helper-address [your backup DHCP server]
no ip redirects
no ip unreachables
no ip proxy-arp
interface VLAN 10
description Engineering VLAN
ip address 10.11.0.254 255.255.255.0
ip helper-address [your DHCP server]
ip helper-address [your backup DHCP server]
no ip redirects
no ip unreachables
no ip proxy-arp
!
The port config would look something like this-
interface FastEthernet0/48
description HR Printer
switchport access vlan 13
switchport mode access
speed 100
duplex full
spanning-tree portfast edge
spanning-tree bpduguard enable
!
interface FastEthernet0/48
description Engineering Server
switchport access vlan 10
switchport mode access
speed 1000
duplex full
spanning-tree portfast edge
spanning-tree bpduguard enable
As far as learning, I think your best bet would be http://www.ciscopress.com/bookstore/product.asp?isbn=1587202174
08-09-2011 06:46 AM
Collin, what about IT vlan access to all but vice-versa is blocked, VTP configuration and wireless VLAN configuration also what should be the ACLs?
08-09-2011 07:03 AM
This ACL will block the other subnets from entering the IT VLAN
access-list 112 deny ip 10.10.0 0.0.0.255 10.14.0.0 0.0.0.255
access-list 112 deny ip 10.10.11.0 0.0.0.255 10.14.0.0 0.0.0.255
access-list 112 deny ip 10.10.12.0 0.0.0.255 10.14.0.0 0.0.0.255
access-list 112 deny ip 192.168.1.0 0.0.0.255 10.14.0.0 0.0.0.255
Then you apply it to the VLAN interface of the IT VLAN
interface VLAN 15
ip access-group 112 out
Because you are allowing all traffic out from the IT VLAN, no ACL applied inbound is necessary
Configuring VTP
http://www.cisco.com/en/US/tech/tk389/tk689/technologies_configuration_example09186a0080890607.shtml
Remind me again of the wireless restrictions
08-09-2011 07:46 AM
Thanks Collin, very good help.
as for wireless as discribe in my earlier post I have very limited knowledge but I like to learn as you can see from my earlier post here
Right now only wireless device I have is two linksys wireless routers. connected on two different floors with the different switches with access to whole network. I would love to prepare my self with wireless network setup both design and configuration if you guide me, if I have two floor building with about 1000 meters wide, how can I start designing wireless? should I put one access point connected from separate vlan port and then next access point from same vlan at some distance away so I get full coverage of the whole floor and then do same thing on the next floor, connect access point from the same vlan ports?
How I can setup wireless access across two floors, what is the best device to use and what should be the configuration like?
08-09-2011 08:18 AM
The first thing you MUST do is a wireless site survey. This will tell you exactly how many AP's you need and where they should be placed to get the appropriate coverage. This needs to be done by a VAR as they have the proper tools to do it successfully. As far as hardware I would look at a Wireless LAN Controller (WLC). What it does is provides a single point of administration for your wireless network. Currently your Linksys AP's run independent of each other and run their own operating system. Using a WLC your AP's download the config from the controller! It gives you a consistent configuration and allows plug-n-play of new AP's. You can also do administrative tasks like update the operating system on all the AP's with just a few clicks in the WLC. There are a ton of other features too. It is well worth the money and as a rough guess of the number of AP's you will need it will be worth its weight in gold.
As far as what you are doing today, you are correct in assigning each AP into a single VLAN and I believe you plan (and should) create a Wireless VLAN. As far as actual AP placement, that is dependant on what clients you need to serve until you can get a full wireless solution in.
08-09-2011 10:13 AM
Many Thanks Collin.
do you know how to change my email address on this forum? I have a new email address and would like to change it.
When I go to edit profile it does not allow me to change it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide