I have been handed a fun job at work of breaking up a flat network into 4 vlans. This is my first "beginning to end" network project and I have a pretty good idea of what needs to happen, but its been my experience that what I have learned from books and what actually needs to happen can be different. My rough plan is below, details left out for brevity.
Hardware involved:
SG200 switches x 3 (one of these SG200s is acting as an access switch, the other two are "core" switches in the server room). The "access" switch will have all of its ports in one VLAN.
Sophos firewall (for routing)
- ID nodes via mac address; find this mac address in the switch(s) and
document which port that mac is associated with, then assign it to a
VLAN. - Setup Router on a stick using a sophos firewall that is in place.
ROAS is due to budget constraints, they turned down the L3 switch
proposal. I have setup this config before and don't have any
questions about this part. -
The Microsoft server (2008R2) will handle DHCP for each vlan. I
have a working multi-vlan DHCP server setup I can clone from
another client to make this work and it seems pretty straight
forward (but again, assumptions like this can be what slows me
down).Any advice on setting this up? Some of my questions and self doubt are below:
-
I have this feeling I need to put a "gateway of last resort" into the
switches in order to make this work, but I am uncertain. -
I am a little in the dark on what will happen with the access switch. I know it will need to trunk to the core and the trunk will need to pass the single VLAN needed (which I can configure), can I just leave this as an "open" trunk?
Thats the big pieces that I can think of at this time, I need to put it on paper and pick it apart. I would like to see some feedback from anyone else though, its very helpful when you are starting from nothing. Any considerations before I go to far down this road…?
A great overview of the process is found here (Evan Anderson's post):
https://serverfault.com/questions/54417/best-way-to-segment-traffic-vlan-or-subnet
But it lacks a few of the details that have me worried (gateway of last resort for instance).
Best Answer
Do you want to multi-home the access switch? You should, however this complicates the configuration. Since you did not specify this, I will assume you do not want to multi-home (a link to each core switch from the access switch).
So, the access switch is flat (single VLAN) therefore no trunking required between it and one of the 2 core switches. Simply be sure the default VLAN is enabled on the uplink port of each switch.
The core switches need to be trunking between them to carry frames from each VLAN.
The gateway (router +security appliance) needs to be trunking to whichever core switch it plugs into (assuming no dual homing). The default VLAN should be present on each interface of this uplink, along with all 3 other VLANs. The gateway needs to be configured with an IP address for each VLAN/subnet so that it can route between them. Each VLAN/subnet's default gateway address is the address of the gateway.
Hope that helps.