Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
863
Views
0
Helpful
6
Replies

Designing VLAN

stijnschollaert
Level 1
Level 1

‎08-09-2013 02:22 AM - edited ‎03-07-2019 02:50 PM

Hi,

It's the first time I need to design VLAN in a medium network enviroment with several clients and servers + firewall.
The VLAN need is:
DMZ

DHCP HQ clients + HQ servers + HQ printers
IT departement + management interfaces swithes and servers
Logistics departement

So far that is clear, I also assigned several IP's on these vlan's

DMZ 10.0.99.0

DHCP HQ clients + HQ servers + HQ printers 10.1.1.0
IT departement + management interfaces swithes and servers 10.1.2.0
Logistics departement 10.2.1.0

The problem is I don't know this design is good, because people in the logistics departement need to access servers in the HQ VLAN. So I'm afraid this will cause overhead. Bacause between all these VLAN the firewall is the default gateway. So all the traffic from one VLAN to another VLAN go through the router. This means when the logistics departement want to connect to our ERP server, they need to go through the firewall.I'm afraid this will overhead the situation.

So do I need to take the firewall away and config my L3 switch a default route to the firewall? We use Forefront TMG.

I really need some help in this.

Labels:
0 Helpful
6 Replies 6

devils_advocate
Level 7
Level 7

‎08-09-2013 06:56 AM

Your DMZ network should be seperate to your 'Internal' network for a start, i.e it should be on a seperate switch off a seperate port on the Firewall.

Is there a reason your Internal Vlans need to have thier default gateway on the Firewall? Are there access rules in place to prevent one Vlan talking to another?. If not, I would simple have a L3 switch doing intervlan routing and have a default route to the Firewall so the clients can access the internet. Your DMZ would then be on a seperate network, its own switch on its own port on the firewall.

0 Helpful

ALIAOF_
Level 6
Level 6

‎08-09-2013 10:10 AM

The VLAN need is:

DMZ

DHCP HQ clients + HQ servers + HQ printers
IT departement + management interfaces swithes and servers
Logistics departement

So far that is clear, I also assigned several IP's on these vlan's

DMZ 10.0.99.0

DHCP HQ clients + HQ servers + HQ printers 10.1.1.0
IT departement + management interfaces swithes and servers 10.1.2.0
Logistics departement 10.2.1.0

So like the above poster mentioned DMZ should be completely separate and behind the firewall, same with the servers its good to put them behind the firewall as well and they should not be on the same network as DHCP clients and Printers

I would also separate the management network from the IT Department as well.

So something like this:

DMZ 10.0.99.0

DHCP HQ clients 10.1.0.0/24

HQ printers 10.1.1.0/24

HQ servers 10.1.2.0/24
IT departement 10.1.3.0/2

Management interfaces swithes and servers 10.1.200.0/24 (or 10.1.4.0/24 your preference)
Logistics departement 10.1.4.0/24 or 10.1.5.0/24 which is available

0 Helpful

stijnschollaert
Level 1
Level 1
In response to ALIAOF_

‎08-10-2013 01:16 AM

Thanks for this clear answers. The reason I set my servers in the same vlan's of the client, is because I thought if I seperate them it would generate to much traffic. I set my firewall between all this because I want to filter traffic from one vlan to another. I know this can be done ACL, but that is only IP and not username. Because when an admin log in on a client he can't access the management interfaces. But I can think about this.
But if my switch has a default route to the firewall, is there still a possibility I can filter my traffic to the outside on AD usernames?

0 Helpful

Parvesh Paliwal
Level 3
Level 3

‎08-10-2013 02:27 AM

Dear Friend,

As far as the design is concerned, it seems fine as the firewall must work as a filter for intervlan (Inter department) transfer of packets. DMZ is on a separate vlan from the internal network.

Management interface separation is also a good suggestion but I do not feel it a extreme requirement, as it is already with the people in IT.

As far as the the overhead is concerned, that totally depends on the firewall capability. For a better understanding, please share your bandwidth requirement for certain vlans.

0 Helpful

stijnschollaert
Level 1
Level 1
In response to Parvesh Paliwal

‎08-11-2013 11:28 PM

Our firewall is: https://www.paloaltonetworks.com/products/platforms/firewalls/pa-500/overview.html

We have an ERP system (Microsoft Dynamics NAV 2013) and in our company everybody works on it. Is it smart to set this in a seperate vlan?

This is something very important set the servers on a different vlan or not? Firewall between or at the end?

I also have a server that need to be reachable from the DMZ and intern. What is the best configuration for this?

0 Helpful

stijnschollaert
Level 1
Level 1
In response to stijnschollaert

‎08-13-2013 05:49 AM

Can someone help me out?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card