I currently manage an environment with IP addressing of 10.10.10.x/23. We have 3 VLANS set up, and I use that term very loosely. The reason I say I use the term loosely is, the 3 VLANS have full access to each other. VLAN10 is our internal network, VLAN20 is are guest Wifi and VLAN30 is our DMZ. The environment has your typical server, workstations, printers plus we have security cameras but no VOIP. We have close to 200 workstations, 29 printers, 20 servers, 40 security cameras.
The guest wifi should just have access to the internet and that's it, not my internal network. Some of the questions I have with planning our VLAN setup is, currently our ASA5505 is "routing" the traffic and has the ACLs for the VLANS, should i keep it this way or should the ACLs be moved to my cisco 3750X switches? Right now my paln was to setup the VLANS as follows:
VLAN
10 Servers 10.10.10.x/24
20 Workstations 10.10.20.x/24
30 Internal Wifi 10.10.30.x/24
40 Cameras and Server 10.10.40.x/24
100 DMZ 192.168.100.x/24
110 Guest WiFi 192.168.110.x/24
i'm also not sure if should keep the printers on the same VLAN as the workstations, servers or separate them to their own VLAN? if they are in their own VLAN should the printer server be on that VLAN also?
Best Answer
I think you would do well to think about why you might use VLANs to begin with.
It sounds like you have reasons to limit / segment traffic, but I would question if you're really going to do the homework necessary to build ACLs to have fine-grained control of traffic between PCs, servers, and printers. In every case that I've seen that done the admin ends up giving up and just opening all traffic (
allow ip any any) between the "server VLAN" and the "workstation VLAN" because they can't get software vendors to disclose what ports / protocols are necessary to make applications work (or because the applications use dynamic ports that aren't handled by protocol handlers in the inter-VLAN router).The typical trade-off between using a layer 3 switch versus a more router-like device like a Cisco ASA is expressiveness of the ACL system versus routing performance. A layer 3 switch can typically route at wire-speed, however it may not support ACLs with enough expressiveness to do what you need. In some cases, the layer 3 switch ACL system does have the expressiveness, but using those expressive features may cause routing to move through a CPU rather than an ASIC, diminishing performance.
I'd start by building a list of the ACLs I intend to have, then evaluating if they layer 3 switches are capable of handling them and, if they are, keeping the traffic in a "fast path" while doing so. You'll get the highest performance routing in the layer 3 switches, but (particularly with your guest wifi VLAN) the ASA may be a better fit from a rule expressiveness perspective.
Insofar as your printers go: If you're looking to limit access to the printers to only authorized administrators and the servers queuing them then you may want to throw them into a VLAN. Some people are fine with printers being directly accessible by client computers, but other environments (where the printed items are of a sensitive nature, or where billing software needs to arbitrate access to the printers) benefit from isolating the printers and strictly limiting the hosts that can connect to them. You'll have to gauge your needs there. How much accountability do you need w/ respect to auditing print jobs, for example?