Designing a VLAN network

B

Bionic

Expert Member
Joined
Nov 15, 2009
Messages
1,075
Reaction score
105
Location
Deep in the valley, Midrand
Hi,

We are introducing VOIP in our business and want to use this opportunity to create VLANs on our network. We have the correct switches and there are existing VLANS. My setup is as follows.

  • I have a fibre that controls my MPLS
  • there is an additional Seacom fibre that is used for staff mobiles.(pure broadband and no filtering). VOIP provider will be using this to breakout.
  • a wireless controller and AP's that broadcast 2 x SSID - 1 for guest and the other for main internal network
My thoughts are that we setup VLANS for the following..

  • VLAN 0 (default) - mpls
  • VLAN 1 - VOIP - This will use Seacom
  • VLAN 2 - Guest network - Use seacom
  • VLAN 3 - Training room - We have a training room that have daily visitors so would like this ring fenced. It must still be connected to MPLS.
  • VLAN 4 Boardrooms - Must be on MPLS
  • VLAN 5 - Server room - Must be on MPLS.

Im not sure what the best practice is when designing VLANS. I think the above may seem an overkill. We also have mac filtering which restricts any unauthorized access within the building. My concerns are.. how will we control computers? If a person in VLAN 3 uses the desk outside of the training room, what VLAN will he be? Must i do mac locking on VLAN? I also dont want it to be too complex and restrictive that its an a troubleshooting nightmare for my team. Do i need to allocate IP ranges for the different VLANS but i only have 2 DHCP clients, so not sure how this will work. We have pool printing so will the VLANS restrict the printing to that VLAN?

Our end result is to introduce the adequate level of security on our LAN layer and separate voice and data.

Your thoughts?

Thanks
 
Last edited:
subscribed

i have some thoughts but i will let the pros take it from here - im keen to learn
 
Bionic said:
how will we control computers? If a person in VLAN 3 uses the desk outside of the training room, what VLAN will he be?
Click to expand...

if a person from the training room walks up to a computer outside of the training room, they will have access to that computer and the network it is on.

vlans dont follow people, it is assigned to a network.

users are controlled by logins or physical barriers etc.

edit: what equipment are you using
 
Using Voice on the same link as an unfiltered internet browsing link is a bad idea. You would need to shape or at least prioritize traffic for the voice to not get affected

Best security practice is to use non default VLAN for any service. Typically VLAN 1 is default so possibly change it to something else.
You will need different IP ranges per VLAN.
You should also have some kind of ACL or filtering mechanism to stop inter VLAN routing.
You can create multiple DHCP pools and use IP helper on each VLAN to get the correct IP from the DHCP server or alternatively run DHCP on the Switch / Router.

MAC filtering is not secure.

Standard VLAN / pc allocation is done via the port you plug into. If you plug into a port configured for VLAN 2, you will be on VLAN 2 and get an IP in that pool. You can use NAC systems for example to profile or identify what is connecting to the network and dynamically allocate the correct VLAN. So a printer no matter where it goes will be in the printer VLAN etc.

How are you splitting the traffic between the 2 internet links? I.E what is doing the splitting or do you have 2 routers and are terminating the appropriate layer 3 on the appropriate Router?

What VLAN will your internal main network wireless be on? Is the traffic tunneled back to the controller or does it break out at the AP?
 
Also that's not overkill, I would add more vlans for management purposes as well.

Take the controller and AP's for instance. Their IP's should be in it's own "management" vlan as well.

You could split servers up even further, depending on:

Physical servers, or Virtual?

Hypervisor managment vlan, vmotion vlan, idrac/mmi vlan etc.

This list below goes on till vlan 200..... you will see the IP helper is the same for most, just pointing to a DHCP server on all the SVI's where DHCP has been configured

interface Vlan2
description Data 2
ip address 10.1.2.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan3
description Data 3
ip address 10.1.3.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan4
description Data 4
ip address 10.1.4.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan5
description Data5
ip address 10.1.5.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan6
description Printers
ip address 10.1.6.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan7
description Voice1
ip address 10.1.7.1 255.255.255.0
ip helper-address 10.1.10.20
!
interface Vlan8
description Voice2
ip address 10.1.8.1 255.255.255.0
ip helper-address 10.1.10.20
!
interface Vlan9
description Voice3
ip address 10.1.9.1 255.255.255.0
ip helper-address 10.1.10.20

!
interface Vlan12
description BYOD
ip address 10.1.12.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan13
description Access-Control
ip address 10.1.13.1 255.255.255.0
ip helper-address 10.1.200.20
--More--


Then the DHCP scopes on the server with IP of 10.1.200.20
1600432464092.png
 
Last edited:
irBosOtter said:
Also that's not overkill, I would add more vlans for management purposes as well.

Take the controller and AP's for instance. Their IP's should be in it's own "management" vlan as well.

You could split servers up even further, depending on:

Physical servers, or Virtual?

Hypervisor managment vlan, vmotion vlan, idrac/mmi vlan etc.

This list below goes on till vlan 200..... you will see the IP helper is the same for most, just pointing to a DHCP server on all the SVI's where DHCP has been configured

interface Vlan2
description Data 2
ip address 10.1.2.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan3
description Data 3
ip address 10.1.3.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan4
description Data 4
ip address 10.1.4.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan5
description Data5
ip address 10.1.5.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan6
description Printers
ip address 10.1.6.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan7
description Voice1
ip address 10.1.7.1 255.255.255.0
ip helper-address 10.1.10.20
!
interface Vlan8
description Voice2
ip address 10.1.8.1 255.255.255.0
ip helper-address 10.1.10.20
!
interface Vlan9
description Voice3
ip address 10.1.9.1 255.255.255.0
ip helper-address 10.1.10.20

!
interface Vlan12
description BYOD
ip address 10.1.12.1 255.255.255.0
ip helper-address 10.1.200.20
!
interface Vlan13
description Access-Control
ip address 10.1.13.1 255.255.255.0
ip helper-address 10.1.200.20
--More--


Then the DHCP scopes on the server with IP of 10.1.200.20
View attachment 916529
Click to expand...

The problem with having all the L3 on the switch is then you need to use ACL's to manage all of that, I'd rather put a firewall in place and use the L3 there to split the networks apart from each other.
 
MDKza said:
The problem with having all the L3 on the switch is then you need to use ACL's to manage all of that, I'd rather put a firewall in place and use the L3 there to split the networks apart from each other.
Click to expand...

Jip, easier with a firewall, but once you get used to configuring acl's then that's also easy.

Only thing about a firewall doing it means the firewall needs to be a beefy device. I setup a Fortigate 60E (Entry level device) at a branch with 12 vlans, but in the end moved them over to a L3 Switch as the firewall wasn't powerfull enough to cope with all the traffic. But that's a edge firewall, not designed as a segmentation firewall.

At one point I had all my home vlans on a firewall as well, but moved over to the L3 switch as it was quicker for me to do it there so only left with a few on the firewall.

1600432807355.png
 
Last edited:
irBosOtter said:
Jip, easier with a firewall, but once you get used to configuring acl's then that's also easy.

Only thing about a firewall doing it means the firewall needs to be a beefy device. I setup a Fortigate 60E (Entry level device) at a branch with 12 vlans, but in the end moved them over to a L3 Switch as the firewall wasn't powerfull enough to cope with all the traffic. But that's a edge firewall, not designed as a segmentation firewall.

At one point I had all my home vlans on a firewall as well, but moved over to the L3 switch as it was quicker for me to do it there so only left with a few on the firewall.
Click to expand...

It is not really about easy or not (although that is a factor) it is about security. The firewall should be doing more than just allow / deny otherwise sure, just use an ACL. There should be proper traffic inspection, logging and hopefully some integration into a security fabric or architecture.

Cisco had a really good idea ages ago with their TrustSec model where each traffic gets "tagged" and you allow and/or deny tags on the access port layer. This means you can have 2 users on the same VLAN but they can be blocked between each other.
It also means policies are no longer about IP addressing and more about tags/users/behavior/assets, which means they are consistent across branches and locations.
Blue tag can reach red tags, but blue cannot reach blue or other tags. Easy for audits, easy to understand, easy to implement.
Additionally, you can dynamically change tags depending on a security posture or incident. So you could tag a user or segment (like guest wireless) with a more restrictive tag if something is suspicious etc.
Using the network as an enforcer instead of trying to restrict at a layer 3 point makes total sense.

It is a pity that the execution was not as fluid as the idea and ISE was a nightmare for many years. Support on the switches was also very limited meaning most companies needed a full refresh to support the tech.
 
syntax said:
It is not really about easy or not (although that is a factor) it is about security. The firewall should be doing more than just allow / deny otherwise sure, just use an ACL. There should be proper traffic inspection, logging and hopefully some integration into a security fabric or architecture.

Cisco had a really good idea ages ago with their TrustSec model where each traffic gets "tagged" and you allow and/or deny tags on the access port layer. This means you can have 2 users on the same VLAN but they can be blocked between each other.
It also means policies are no longer about IP addressing and more about tags/users/behavior/assets, which means they are consistent across branches and locations.
Blue tag can reach red tags, but blue cannot reach blue or other tags. Easy for audits, easy to understand, easy to implement.
Additionally, you can dynamically change tags depending on a security posture or incident. So you could tag a user or segment (like guest wireless) with a more restrictive tag if something is suspicious etc.
Using the network as an enforcer instead of trying to restrict at a layer 3 point makes total sense.

It is a pity that the execution was not as fluid as the idea and ISE was a nightmare for many years. Support on the switches was also very limited meaning most companies needed a full refresh to support the tech.
Click to expand...

ISE was so hard to implement and had so many flaws, we use Forescout now as a replacement product for our clients.
And yes with the segregation you want full IPS between your different networks.
 
MDKza said:
ISE was so hard to implement and had so many flaws, we use Forescout now as a replacement product for our clients.
And yes with the segregation you want full IPS between your different networks.
Click to expand...

Yup, was a total nightmare. Anything before version 2 was a dog show and even up to 2.4 it was not great.
We use a variety of ISE, Forescout and FortiNAC for our clients depending on the requirements and security roadmap strategy

Cisco really had an opportunity to dominate the security market if ISE worked off the bat and the Trustsec model was more easily supported. Pity really
 
Bionic said:
  • VLAN 4 Boardrooms - Must be on MPLS
  • VLAN 5 - Server room - Must be on MPLS
Click to expand...

Don't really see the point here of breaking of into VLANs based on location/area unless you for some odd reason want to run those on different IP Ranges.

You'd want to break up VLANs for different use cases, such as different type of devices (IoT) or types of User (Employee vs Guest vs Management) etc.

Where they are shouldn't matter.
 
SauRoNZA said:
Don't really see the point here of breaking of into VLANs based on location/area unless you for some odd reason want to run those on different IP Ranges.

You'd want to break up VLANs for different use cases, such as different type of devices (IoT) or types of User (Employee vs Guest vs Management) etc.

Where they are shouldn't matter.
Click to expand...

Unless he is separating internal from internal but they both use the MPLS link
That would make sense then
 
syntax said:
Using Voice on the same link as an unfiltered internet browsing link is a bad idea. You would need to shape or at least prioritize traffic for the voice to not get affected

Best security practice is to use non default VLAN for any service. Typically VLAN 1 is default so possibly change it to something else.
You will need different IP ranges per VLAN.
You should also have some kind of ACL or filtering mechanism to stop inter VLAN routing.
You can create multiple DHCP pools and use IP helper on each VLAN to get the correct IP from the DHCP server or alternatively run DHCP on the Switch / Router.

MAC filtering is not secure.

Standard VLAN / pc allocation is done via the port you plug into. If you plug into a port configured for VLAN 2, you will be on VLAN 2 and get an IP in that pool. You can use NAC systems for example to profile or identify what is connecting to the network and dynamically allocate the correct VLAN. So a printer no matter where it goes will be in the printer VLAN etc.

How are you splitting the traffic between the 2 internet links? I.E what is doing the splitting or do you have 2 routers and are terminating the appropriate layer 3 on the appropriate Router?

What VLAN will your internal main network wireless be on? Is the traffic tunneled back to the controller or does it break out at the AP?
Click to expand...

Hey. Thanks for your response. We will be implementing a VLAN at the carrier level on the Seacom link. Being using MAC filtering for years now to restrict staff phones connecting to our network. Didnt know it wasnt secure.WIll explore ACL's. We dd look at a NAC system before but was very expensive.
 
SauRoNZA said:
Don't really see the point here of breaking of into VLANs based on location/area unless you for some odd reason want to run those on different IP Ranges.

You'd want to break up VLANs for different use cases, such as different type of devices (IoT) or types of User (Employee vs Guest vs Management) etc.

Where they are shouldn't matter.
Click to expand...

So our thoughts are that if a visitor presents with their device and is affected, it wont affect the rest of the LAN. With boardrooms, we dont have visibility of who goes into those rooms. Wrt to the server room, our servers main purpose is DHCP and print server. With any outbreak inside our server room, its contained and vice versa.
 
Bionic said:
So our thoughts are that if a visitor presents with their device and is affected, it wont affect the rest of the LAN. With boardrooms, we dont have visibility of who goes into those rooms. Wrt to the server room, our servers main purpose is DHCP and print server. With any outbreak inside our server room, its contained and vice versa.
Click to expand...

Yes but you are somewhat missing the point that to enable that you need separate DHCP ranges and entirely separate networks with different access levels.

The location where they are access should be kind of irrelevant.

So you’d have something like...

VLAN - Infrastructure
VLAN - Guest
VLAN - Employees.

So you’d put your server room and say printers or other devices on your floors inside the infrastructure VLAN and therefore it’s underlying network regardless of where it is.

Guest you would then assign to points in the board room or the Wireless SSID ID there.

You don’t make a VLAN for a location, you make it for a privilege level and then use that VLAN for its purpose wherever.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X