I work in a small company that has about 75 clients, and about 10 servers, and I have a refurb 4948 that's not setup yet, currently on the live network are asa5510, a sg300, voip system, and an old 2960 that's currently my core sw (the 4948 will replace this) and I'm planning on redesigning our flat network.
We've always had a single collision domain on vlan 1 which I read is not recommended for security, and I was wondering if it's worth the headaches of setting up vlans on this small network (I'm no Cisco veteran, just learned hands on reading forums and guides) So my plan is to finally set up a dmz on the firewall and I'm reading a bit more before I get into that, and put the servers in a vlan on that dmz, I read that the 4948 can do routing so I can probably set inter-vlan on it if needed. Here's a diagram of my planned network, if you guys can give me some guidance on a best way to redesign it I'd totally appreciate it. Thanks in advanced.
Why do you want the servers in a DMZ, are they going to be accessed from the internet ?
I would definitely recommend putting the servers on the 4948 switch has it has much better performance than the 2960. And as you say it can route as well so perhaps it might be an idea to replace the 2960 with the 4948 and then if you do need a DMZ use the 2960 as the DMZ switch.
Ideally you do not want your DMZ switch to have any internal LAN clients on it but that may not be possible for as you may not have enough ports. But you definitely do not want your DMZ switch to be routing, that should be left to the firewall.
In terms of using vlans the answer is it depends. With the number of devices you have it may not be worth doing unless you are experiencing issues at the moment. It is always a good idea to have the servers on a separate vlan because if they are the same vlan a faulty NIC in a client could bring down the servers as well but that said in your setup all the clients would be in the same vlan anyway. And generally people start to consider using vlans when the IP subnet gets to be bigger than a /24 which you are nowhere near.
I presume at the moment you route off the firewall ie. the inside interface of the firewall is the default gateway for the clients and servers ? If you stay with one vlan there is no benefit to routing on the 4948, you may as well just use this as a higher performance switch for the servers/clients.
I can't see a need for vlans here unless you are experiencing performance issues but the 4948 could well sort that out for you.
Perhaps you could clarify the bit about the servers and the DMZ and maybe go a bit more into what you want ?
Thanks for the reply, yeah I have mailservers(owa, activesync), and webservers that need to be out on the web, ok so it's not recommended to have vlans on a small network like mine, that's ok, I also have a voip system with 50 phones, but the audio quality is ok for now, no one's complaining, there's no dropouts also. On the ASA, that's correct everyone has that as a gateway, and it routes to the isp router ip.
I still have about 20 ip's on my dhcp, and as little as probably 10 on static available, so I think I may just keep it a flat network for now, till it grows near 250 ip's, then I can start looking at vlan's. But I will definitely need to setup a dmz on the ASA as advised by another forum member, so moving fwd I will just setup the 4948 and put the webservers on a dmz, and keep the inside clients on vlan1. Hey thanks for the tips, I'll be doing some tests in the coming days, thanks again.
Is your 75 clients divided into different departments? if they are then it will be a good idea to assign each department into different VLANs in order to prepare for the future incase they start to get bigger and bigger. Also creating different VLANs for each department will allow you to create access-lists which will help you restrict them based on their roles.
but if they belong to the same department you can setup your DMZ using the setup below:
Hi Nec, thanks for the reply, yeah I have different dept's for the users, but in the workgroup sw their all kinda spread out in 3 different switches, my plan for now was to put them into the new 4948 and organize it better, actually in that 75 clients about 45-50 are actual pc users that makes up the network traffic, the rest are production machines with linux and the servers, thanks.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...