IME you are in the ball park where segregation of traffic across networks will improve performance. However the division of the VLANs seems to have been decided on the basis of the function of the member nodes rather than any effort for managing bandwidth. Certainly with this number of nodes you could get the same aggregate bandwidth by intelligently planning where you put switches rather than using vlans.
Without seeing a detailled diagram and getting some real measurements its hard to say for sure, but I suspect that the setup you describe is giving you no performance benefits and lots of admin headaches.
you can enforce Access Control Lists on the router
Not a good reason for using vlans - use subnets, firewalls and switches.
There isn't any single "Best" imho. There are plenty of good solutions that can fit a number of budgets and design styles - I mention the last factor because the "best" can often be the design you are comfortable with and can easily support.
That said, I'll tell you what I've got in the same situation:
A 10Gbe fibre backbone between each cabinet (effectively a floor in your case) and its neighbouring cabinet and the server room. This gives you good bandwidth and resiliency.
Two VLANs per floor, one each for voice and data (actually we have a bunch of other stuff (wireless, CCTV, electronic access control, and hence a lot more VLANs for those - do any of these apply to you too?). This gives you a reasonable amount of "headroom" assuming 1 phone and 1 computer for each of those users, plus a scattering of the usual extras such as networked printers...
Think about a logical IP addressing scheme that can map the logical LAN to the physical LAN. This can help you understand the origins of traffic if you are looking at packets to troubleshoot stuff later, e.g.
Using the example: 10.x.y.0
- where X = floor and Y = VLAN
- so 10.4.2.25 might be a device in the voice VLAN on the 4th floor
- and 10.3.1.13 might be a device on the data VLAN on the 3rd floor
VLANs vs seperate networks:
I've seen it done both ways but recently it has mostly been done with VLANs as it generally makes thing simpler in the long run. If you're worried about phone line quality on a shared lan then this can be fixed with QoS. Also consider that phones and computers are converging at the moment, phones are moving from "just phones" to VOIP to Unified Communications and at that final point you really want a "unified" network to run it all on. So with that in mind it makes sense, imho, to go down the VLAN route rather than separate physical network route.
As for number of ports, VLANs can cut the number of switch and patch ports required for local connections dramatically. We have phones in our office spaces with 1Gb "pass through" switches on the back of them into which we plug PCs, reducing the number of ports required to kit out an office - we do this by placing both VLANs on the same switch ports with data as the untagged vlan and voice as the tagged VLAN.
It really works well and as well as reducing the number of ports it also keeps the cost of deployment down; low level deployment technicians can just plug a phone, printer or computer in without having to get the port configured.
Best Answer
Often with network diagrams, problems arise when you try to attempt to do a logical and physical design in a single diagram.
It is usually easier to both create and read a network layout where these are two separate diagrams.
You could one diagram with your vlan setup with the departmental separation, and another with your hardware setup across the floors.
Sometimes, once you have done this, you'll see a way that you can combine the two in a way that is still interpretable, but don't force it.