VLAN Planning Help

tankerkiller125

Currently our network has zero VLANs (one massive network). The plan is to change this at some point in the future and I’ve been working on planning out the change.

Current Network:
Single Network -> 172.29.100.0/22 IP Range, Many VPN networks (192.168.114.0/24, 192.168.115.0/24, etc.) all routed to act as one massive network. Our Firebox VPNs are configured to have one Data VPN connection with one IP range, and a second VPN connection for the phones using a different IP range.

Of note is that we have a second company here now (a division we sold) and so part of the plan is to separate them completely using VLANs. They do not have any servers on-site. But they are part of our PBX server.

Proposed Network:
Our Corp:

VLAN 1 - Corp Desktops/Laptops/Corp WiFi - 172.29.100.0/22 - Will route to Infrastructure and Dev VMs
VLAN 2 - Desk Phones/PBX Servers - 172.29.99.0/24 - Will be able to route to Infrastructure via Firewall
VLAN 3 - Infrastructure Servers/VMs - 172.29.98.0/24
VLAN 4 - Development VMs - 172.29.104.0/24 - Will Route to Infrastructure via Firewall
VLAN 5 - IoT Wireless/Wired - 172.29.105.0/24 - Direct to Internet
VLAN 6 - Staff WiFi - 172.29.106.0/24 - Direct to Internet
VLAN 7 - Guest WiFi - 172.29.107.0/24 - Direct to Internet

Other Corp:
Phones will still use VLAN2

VLAN 500 - Desktops/Laptops/Corp WiFi - Direct to Internet
VLAN 501 - Staff WiFi - Direct to Internet
VLAN 502 - Guest WiFi - Direct to Internet

If I could get some feedback on the proposed layout that would be great.

phenomlab

tankerkiller125 Of note is that we have a second company here now (a division we sold) and so part of the plan is to separate them completely using VLANs. They do not have any servers on-site. But they are part of our PBX server.

If the PBX system is a Cisco CUCM or other IP based, then there is going to be an element of sharing that you cannot work around from the physical / logical split point of view. We’ve been in the same boat, and because the phones require connectivity to our core switches, we set voice vlans only so that the jack at the back of the handset itself cannot be used for data.

tankerkiller125 VLAN 1 - Corp Desktops/Laptops/Corp WiFi - 172.29.100.0/22 - Will route to Infrastructure and Dev VMs

Not a wise move. VLAN1 is the default VLAN on all Cisco switches, and prone to attack (be it remote or surface) every time. I’d change that and also use high-end number VLANS to keep them out of any low grade scanning or enumeration using Wireshark for example or NMAP.

tankerkiller125

phenomlab As far as the phones go we already know for a fact that we will have to share a VLAN for that at least for now.

As far as the VLAN 1 thing goes how would you recommend handling desktops/laptops that don’t have VLAN options? Just auto tag everything on that port to the correct VLAN if it’s untagged? Unfortantly our switches are older (Dell PowerConnect 3448 and PowerConnect 3448p) so I don’t know if they even support that kind of thing.

phenomlab

tankerkiller125 You’d really only need VLAN1 if you were interconnecting legacy kit with Cisco switches. I’d go for what you’ve stated. Create a VLAN outside of VLAN1, and auto tag to that. Are you setting the VLAN at NIC level ?

tankerkiller125

phenomlab Probably not via NIC. I’m still trying to figure out the Dell switches. They are not intutive to say the least.

tankerkiller125

I finally have this all figured out and the final plans are in place, now I’m just working on taking these plans and putting them into IPAM/DCIM software so that as I work I a comprehensive guide of how to configure things as well has docs for where all the cables in the server room go.