Trying to segment network first time VLAN or PVLAN - Page 2

mistrybhavesh · ‎08-08-2011

Hello guys,

I have network design question here on my network.

My network has grown bigger in recent years and I am now thinking of segmenting it department wise i.e. HR, SALES, Accounting, IT, Servers, Printers etc...

no computers from each department should be able to access other department computers except servers vlan and printer vlans, IT vlan should be able to access all vlans but no vlan should be able to access PCs in IT vlan.

We have one DHCP server on Win08 server and that should be able to give lease to all the PCs in the company. we have two DNS and DCs at the same site and they should be able to talk to all the PCs in the company (LDAP and DNS traffic)

Looking at this what should be my best option? is it VLANs? or PVLAN?

couple of question I have here is,

I am more confused in to how does this PVLAN information will get replicated to other switches on my network? I have about 8 switches scattered at different locations in the same building.

If you look at the attached picture I have two switches, SW1 is layer 3 switch.

I want all the segment in the picture to be able to talk to servers and printers segment. I want Eng segment which is scattered on both switches should be able to talk to members in it. I also want to create separate segment for wireless networking, so that visitors accessing this segment does not interfere with the other Members on the network and possibly restrict virus spread from visitors laptop. all the members should be able to go to internet through the router.

I know this a kind of common config for SMBs, there will be many of you who have done it, I am looking for your tips.

Please help,

Thanks a lot

Collin Clark · ‎08-10-2011

Your email address is tied to your CCO account so it needs to be changed there. You can email

web-help@cisco.com to get it changed.

mistrybhavesh · ‎08-10-2011

Collin, I have about 300 users and two floor building, is it worth to do this vlan and segmentation and acls?

I guess what I want to know is what is the common practice for medium size network?

What is your recommendations?

Thanks

Collin Clark · ‎08-10-2011

Now is the time to do it...before the network gets any bigger. The bigger it gets, the more difficult it is.

Jon Marshall · ‎08-10-2011

Collin

Some great posts and i would rate but you've opted out as far as i know Still going to rate just to annoy you !

One point about the IT vlan. The acl won't work -

access-list 112 deny ip 10.10.0 0.0.0.255 10.14.0.0 0.0.0.255

access-list 112 deny ip 10.10.11.0 0.0.0.255 10.14.0.0 0.0.0.255

access-list 112 deny ip 10.10.12.0 0.0.0.255 10.14.0.0 0.0.0.255

access-list 112 deny ip 192.168.1.0 0.0.0.255 10.14.0.0 0.0.0.255

interface VLAN 15

ip access-group 112 out

this would allow traffic from the IT vlan to other subnets but the return traffic will be dropped because of this acl. The only way to do this with acls is to use reflexive acls or if it just TCP connections then perhaps the "established" keyword. Not sure what L3 switches are being used here but 3560/3750 don't support reflexive acls as far as i know. Not even sure about 4500/6500 to be honest.

So unless the switch supports reflexive acls or you use a firewall for the IT vlan this just can;t be done with RACLs.

Jon