08-08-2011 07:56 AM - edited 03-07-2019 01:35 AM
Hello guys,
I have network design question here on my network.
My network has grown bigger in recent years and I am now thinking of segmenting it department wise i.e. HR, SALES, Accounting, IT, Servers, Printers etc...
no computers from each department should be able to access other department computers except servers vlan and printer vlans, IT vlan should be able to access all vlans but no vlan should be able to access PCs in IT vlan.
We have one DHCP server on Win08 server and that should be able to give lease to all the PCs in the company. we have two DNS and DCs at the same site and they should be able to talk to all the PCs in the company (LDAP and DNS traffic)
Looking at this what should be my best option? is it VLANs? or PVLAN?
couple of question I have here is,
I am more confused in to how does this PVLAN information will get replicated to other switches on my network? I have about 8 switches scattered at different locations in the same building.
If you look at the attached picture I have two switches, SW1 is layer 3 switch.
I want all the segment in the picture to be able to talk to servers and printers segment. I want Eng segment which is scattered on both switches should be able to talk to members in it. I also want to create separate segment for wireless networking, so that visitors accessing this segment does not interfere with the other Members on the network and possibly restrict virus spread from visitors laptop. all the members should be able to go to internet through the router.
I know this a kind of common config for SMBs, there will be many of you who have done it, I am looking for your tips.
Please help,
Thanks a lot
08-10-2011 06:42 AM
Your email address is tied to your CCO account so it needs to be changed there. You can email
web-help@cisco.com to get it changed.
08-10-2011 12:21 PM
Collin, I have about 300 users and two floor building, is it worth to do this vlan and segmentation and acls?
I guess what I want to know is what is the common practice for medium size network?
What is your recommendations?
Thanks
08-10-2011 01:02 PM
Now is the time to do it...before the network gets any bigger. The bigger it gets, the more difficult it is.
08-10-2011 05:49 PM
Collin
Some great posts and i would rate but you've opted out as far as i know Still going to rate just to annoy you !
One point about the IT vlan. The acl won't work -
access-list 112 deny ip 10.10.0 0.0.0.255 10.14.0.0 0.0.0.255
access-list 112 deny ip 10.10.11.0 0.0.0.255 10.14.0.0 0.0.0.255
access-list 112 deny ip 10.10.12.0 0.0.0.255 10.14.0.0 0.0.0.255
access-list 112 deny ip 192.168.1.0 0.0.0.255 10.14.0.0 0.0.0.255
interface VLAN 15
ip access-group 112 out
this would allow traffic from the IT vlan to other subnets but the return traffic will be dropped because of this acl. The only way to do this with acls is to use reflexive acls or if it just TCP connections then perhaps the "established" keyword. Not sure what L3 switches are being used here but 3560/3750 don't support reflexive acls as far as i know. Not even sure about 4500/6500 to be honest.
So unless the switch supports reflexive acls or you use a firewall for the IT vlan this just can;t be done with RACLs.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide