1

Hi all,

I’ve typed and retyped this post a 1/2 dozen times now because I just don’t know what I want to write. I’m confident I can do this, but my panic and anxiety is taking over and I am so worried. I have so many questions!

I think it’s best if I just document out my plan for this weekend when I take the network down and you all can offer your feedback.

First, our current network is a 10.0.0.0/24 subnet. We now have more than 100 laptops with wired/wireless IP’s, plus printers, a few VoIP deskphones, Pi’s, and we want a guest wifi network. I have already gone around the office and documented what users/devices are connected to which ports in the patch panel.

We have 1 Windows 2016 Server which acts us our AD, DHCP, Printer Server, and File Server. Our firewall is an ASA5516-X managed by our ISP.

Here is my VLAN idea

VLAN 10 - Management 192.168.10.0/24 (Network gear)

VLAN 11 - Server 192.168.11.0/24 (Servers, we only have 1)

VLAN 12 - Corp 192.168.12.0/24 (Desktops, Laptops, Printers, etc)

VLAN 13 - VoIP 192.168.13.0/24 (Hardware based deskphones)

VLAN 14 - IoT 192.168.16.0/24 (Raspberry Pi’s, Cameras, Alexa)

VLAN 15 - Sonos 192.168.17.0/24 (SONOS)

VLAN 16 - Guest 192.168.14.0/24 (Guest wifi, Applicant testing machines)

So here goes.

  1. I’m going to remove all the spaghetti wiring between the patch panels and switches so I have a clear view.

  2. On all 5 SG200 switches: Backup the config, update firmware, and factory reset (not sure if this is necessary, but figured I should do it to clear any previous VLAN attempts done)

  3. Assign an IP address to each SG200 with a management IP and document the switch serial, IP, and set a strong admin password. Also create all the VLAN tags within each switch.

  4. Switch 1 will connect ISP firewall, our server, and remaining 4 switches.

  5. Start cabling switch 1 and the others and when finished go in and tag the ports with appropriate VLAN’s.

  6. On the Windows Server, in DHCP create the various subnet scopes to match the VLAN’s.

  7. Call the ISP and inform them of the VLAN’s and subnets.

That’s it. What did I miss? Feedback? :slight_smile:

EDIT: Thank you all for the input, please see my follow-up questions here. Really nervous about overhauling the network by myself

37 Spice ups
2

It makes a lot of extra work (and very little sense) to divide everything into /24 networks and then route it all back together. You’re just turning a layer 2 network into a layer 3 mess.

Unless your server will never talk to your laptops or printers, don’t separate them.

By all means, keep your public wifi in a different LAN.

Open your main network up to /22 or more to give yourself plenty of room for layer 2 communication.

41 Spice ups
3

Make sure you enable IP helper on your switch/firewall this will tell the device to send DHCP requests to the DHCP server.

After you re-ip the DC go through the DNS records and make sure the IP addresses are correct for the DC as incorrect records will prevent clients from contacting the domain controller

5 Spice ups
4

No need for all those vlan nightmare settings as Robert mentioned!, might wanna use a label machine and label the certain cables going from the core router to the firewall and so on… then there is no guesswork when it comes time to figure it out when in a panic!

I have kinda been in the same here, just started here at this job and been cleaning things up as one would expect and getting them setup properly!

7 Spice ups
5

I’m confident I can do this, but my panic and anxiety is taking over and I am so worried. I have so many questions!

You are shooting yourself down in flames.

If you are confident - be confident.

If you have panic and anxiety you are not confident; the two are mutually exclusive.

Work out in your mind what the worst case scenario is and how you will deal with it - confidently.

Measure twice - cut once.

Check each stage as you complete it - if it doesn’t work stop, and find out why, fix and move on.

Take advice and ask if you don’t know.

You can do this.

16 Spice ups
6

Honestly, the Server VLAN was something a friend had told me he sets up his organizations that way, but I can certainly scrap that. I’ve been reading a lot of VLAN posts here and I thought I understood that the purpose of a VLAN was to separate a network that you might otherwise separate physically.

Sorry Robert, I’m a little confused by your response. Are you saying that I should use NO vlan’s and instead just use a separate network connected to the firewall’s interface?

For example, the managed switches, the server, the laptops, printers and every else related to the company would be on a 192.168.10.0/22 network and then the Pi’s camera’s, guest wifi, and applicant testing computers would be on another network and simply don’t connect the 2?

7

I don’t see a router in your configuration. How are you planning to route between all the subnets? I would go with just a Corp Vlan (at /22 as Robert suggested) and a Guest Vlan. It’s a much simpler solution and easier to troubleshoot.

5 Spice ups
8

The Cisco ASA5516-X router/firewall is managed by our ISP. Sorry if I wasn’t clear on that!

Yes it is a pain because we have several DHCP relays setup.

1 Spice up
9

Uh, I think you’re missing something crucial here - you’re worried about turning your network into a complicated mess of a setup for not any real good reason, and you only have 1 physical server, running a single DC that does more than just be a DC? What’s wrong with your current network, why do you see it expanding (and if you need more just make it a /23), and just setup a separate guest network with some cheapo router hooked to a segregated zone on your ISP router if it’s all in one area.

IMO, your priorities are wrong. You’re way over-complicating this for the sake of over-complicating it.

7 Spice ups
10

Hi all,

I have to admit I’m having more questions than I started with! I appreciate all the responses.

  1. It sounds like I should forget the whole VLAN idea. If this is the case, are you telling me it’s fine having all the switches on the same subnet as our users? For example, let’s say I change it to 192.168.0.0/22. Are the users and equipment all on this network?

  2. Similar to that, do I block of some addresses at the start? For example, let’s say 192.168.0.5 for our DC and then keep 192.168.0.10 - .50 for networking equipment and start my DHCP scope at .51?

  3. The AP’s I purchased are Unifi AC Pro to put around the office (replacing Cisco WAP321 units). I’ll create a standard corporate network for all the laptops and then another guest SSID for employee phones and visitors. Is setting that 2nd SSID to a guest network sufficient for security?

  4. The Pi’s and other IoT devices I could also put on that guest network or create another “IoT” SSID. I want to set the Pi’s at least with static IP’s so that’s why I figure another SSID and then I connect to that SSID when I need to SSH into them.

  5. The applicant testing computers I’ll hook up to their own switch that will connect to another interface on the firewall that will handle DHCP.

  6. Similar to the previous, I’ll connect the SONOS devices to a 3rd interface on the firewall that will handle DHCP. I’ll setup a cheap wireless router on this to connect an old ipad to for the SONOS Controller.

All that sound like a better plan?

11

Carry this thought through. What networks would you want to separate completely? Do you really need a whole network with switches and routers for a single server? Or can it live just fine with the workstations? Not to say that management stuff like the hypervisor wouldn’t make more sense elsewhere, but what would be the goal of adding all the overhead for that case?

What’s the ultimate goal with putting phones into their own VLAN? There are some switches that do some automatic configuration and claim to do some QoS at a port level, but generally the issue isn’t intra-network so much as the transition out to the WAN at your gateway where you want those policies in place. There’s nothing wrong with doing it, but, again, would you be willing to invest in a whole separate network for just phones AND still have it go out the same gateway?

Isolating cameras, Sonos, etc devices does potentially make since if you’re looking to limit access. Not to confuse VLANs with any real security concept, but making it more than a trivial task for someone to mess with infrastructure devices is generally a very good idea.

There is a bit more config necessary on your switches. It’s been a few years since I touched the re-branded Linksys stuff, but you will need to also make sure that the links between switches and switch to firewall trunk the necessary VLANs so that all are carried up to the firewall for routing.

3 Spice ups
12

While others have given a down vote to segregating servers from workstations I’d like to just present something for thought. We wanted to pass ALL server bound connections through our firewall’s IPS. This is a lot easier with a separate server vlan. We eventually called it off due to limitations of the firewall but we still put in the server vlan. The ideal situation is for your FW to do the L3 routing, at least between zones of differing security levels but since your ISP manages your firewall it’s probably mainly for internet access. Coupled with the fact that you don’t know exactly what you’re doing it would just make setup / management difficult to design around the firewall. Having said that, yes it would be simpler to eliminate the VLANS but it may be more difficult to put them in later on when you really need them. The choice is yours, but I would use them as long as they wouldn’t get in the way. It would be nice to have at lest some of the VLANs in so that you have a working pattern you can add to later on. Another thing, it’s popular to number your VLANs in 10s rather than sequentially so there’s room to insert additional related VLANs keeping them in the same range rather than tack them on the end. At the very least make your VLAN number match the 4th octet since you’re using /24s. That way you can infer the subnet from the VLAN id and vice versa.

1 Spice up
13

Regardless of whether you decide to use vlans or not; I personally recommend against using 192.168.x.x as many home setups use these ranges and if you eventually need to provide VPN this can cause you unneeded headaches.

19 Spice ups
14

Yes, thank you for that reminder.

2 Spice ups
15

There is a great deal of “common knowledge” out there about VLANs that’s just plain wrong and counter-productive. The biggest driver of the use of unnecessary vlans is laziness - people who can’t deal with any network that doesn’t use a /24. Instead of making the subnet match the requirement, they just add more vlans because that’s all they know how to do.

To the greatest extent possible and appropriate, network communication should take place at layer 2. A PC, a server, and a printer, all connected to the same switch, will communicate entirely within the backplane of the switch - that’s darn fast. Traffic that doesn’t leave the switch doesn’t fill up the pipe between switches and it doesn’t cause any sort of impact on the network. The point of the LAN (local area network) is to have all the devices in a local area talk to each other without routing.

On the other hand, if you group devices by function, you guarantee the maximum amount of layer 3 traffic. Now every interaction with a server or printer has to travel to the router and then back to the device - which may very well be connected in the adjacent port on the same switch as the original device! That’s just nuts. And if you’re using your firewall as a router (the biggest sin of all), then you’re having your firewall do a lot of unnecessary routing and traffic handling.

VLANs are a convenient method to pretend that you have a separate LAN. The only place that vlan identities are enforce is inside the switch. They provide no real security outside the switch because they’re not really separate LANs - all the traffic is just hanging out there in the breeze for anyone to see. That’s okay if you trust the LAN - but you should never trust the LAN.

As long as you have physical security on your switches and wiring, vlans are a convenient way to keep traffic from seeing each other. Use that when it’s appropriate. If two devices are never going to talk to each other, put them in separate (v)LANs. If they are going to talk to each other, let them talk.

If you have some odd requirements, such as permitting these two PCs to access a server, but not those 2, then you can possible make a case for putting a gatekeeper between the server the PC LAN. But that’s not really a practical option - especially if you think DHCP for endpoints is the way to go. You can’t write access control entries for IPs that change constantly.

A switch is designed to move traffic at L2. A router is designed to move traffic at L3. A firewall is an anti-router; it’s designed to prevent traffic from moving at L3. Choose wisely.

25 Spice ups
16

Masta Robert has spoken…

vlan_school.jpg
vlan_school.jpg753×396 30.3 KB
16 Spice ups
17

Lots of varying advice so far. Just some additional thoughts.

  • Before you change anything, document everything (which you seem to be on the case which is good)

  • Photograph everything, every piece of kit and connection and status LED if possible.

  • Be very careful with reliance on an ISP managing a router. Regardless of whether you go for a greater number of VLANs, a smaller number of VLANs, or no VLANs at all, do factor in any time that you might be having to wait for an ISP to make a config change for you. Fine for them to manage their router, but time to get changes made is often not very instant.

  • The advice on a smaller set of VLANs seems to be good advice. Separate your guest/visitor wireless traffic, definitely, but be cautious as to how far you VLAN the rest. There is a risk the router will become a bottleneck and/or potential single point of failure. I’m not against VLANing, in fact I’m often in favour of it, but it does need to be carefully considered as part of a bigger picture.

Good luck with it, a good interesting project ahead.

5 Spice ups
18

Good advice. And just to add to this:

Breathe. Don’t worry so much about all the things that could go wrong. Things will go wrong. You’ll fix them and move on. Nothing is unsolvable.

Go slow. Don’t try to do too much at one time. You’ll end up causing more problems than you’ll be trying to fix.

Document what you’re doing as you do it. Somebody is going to have to come after you and work on things at some point, and they’re going to appreciate having something in their hands to refer to.

Don’t do things just because it will be more technical. The acronym KISS applies. Remember, you’re going to have to manage this network when it’s done. If you don’t need VLANs, don’t use VLANs.

And finally, read what Robert writes. And then read it again.

7 Spice ups
19

I have to admit I’m having more questions than I started with! I appreciate all the responses.

1. It sounds like I should forget the whole VLAN idea. If this is the case, are you telling me it’s fine having all the switches on the same subnet as our users? For example, let’s say I change it to 192.168.0.0/22. Are the users and equipment all on this network?

Yes, that’s 1024 IP addresses in that range. More than enough to work with.

2. Similar to that, do I block of some addresses at the start? For example, let’s say 192.168.0.5 for our DC and then keep 192.168.0.10 - .50 for networking equipment and start my DHCP scope at .51?

Now we’re talking. Generally I block my Networking equipment at the beginning of the range, and then my servers come after that. That way IF you ever have to put in another VLAN in, then you use the same block for networking equipment in the new VLAN. 192.168.0.0 - 0.31 for networking, 192.168.0.32 - 64 for servers, then printers after that. BTW, IP addresses are cheap. Why not put your DHCP scope at 192.168.3.1-254? It’ll be out of the way from all your other devices.

3. The AP’s I purchased are Unifi AC Pro to put around the office (replacing Cisco WAP321 units). I’ll create a standard corporate network for all the laptops and then another guest SSID for employee phones and visitors. Is setting that 2nd SSID to a guest network sufficient for security?

I’m not sure I’m following your logic here. you want your employee phones to be on the same SSID that potential visitors are on? Not a great idea. Put your phones on the same SSID as your corporate network, and use QOS. Then put the Guest Network on a separate network with a separate DHCP. Keep em separate if ya can; otherwise, use a VLAN to do it.

4. The Pi’s and other IoT devices I could also put on that guest network or create another “IoT” SSID. I want to set the Pi’s at least with static IP’s so that’s why I figure another SSID and then I connect to that SSID when I need to SSH into them.

I think you’re making this too hard on yourself. Unless you have internal security issues or want an invisible SSID, then just put the IoT devices on the same SSID as the Corporate Network. You could even use DHCP to assign them a static IP if you want to, then you could SSH into them from your desktop.

5. The applicant testing computers I’ll hook up to their own switch that will connect to another interface on the firewall that will handle DHCP.

Ok. Separate DHCP scope? Do they have to talk to the server? (If so do you know which ports?) I’m assuming that they can’t talk to employees desktops. Do they need to print? Will they have their own printer, so they don’t need to access a corporate printer?

6. Similar to the previous, I’ll connect the SONOS devices to a 3rd interface on the firewall that will handle DHCP. I’ll setup a cheap wireless router on this to connect an old ipad to for the SONOS Controller.

Ok. Not sure what the point of this is. Couldn’t you just hook it up to the Guest Network, and make the Guest Network non-browseable. You already have it configured, so it should be a slam dunk.

Just remember it’s always easy for us to ask the questions and give answers, but in the end… you have to do the real work. What are you comfortable doing?

5 Spice ups
20

You should really keep things simple…and maybe stop “hearing” or “taking advise” from friends if it does not sound logical.

You only have

  • 150 users (I rounded up from 100, lappy and printers etc) and probably 150 phones as well.

  • 20 “non-user” computing devices including SONOS (office radio ??)

  • free or guest Wifi

I would drop VLANs idea 100%.

The only thing is the “free Wifi” for guest which I would do some research and get a proper wireless AP that can serve that purpose by using direct Internet connectivity. Depending on your Organisation…my Hotels and Office lobby uses a low costs “consumer” Internet with its own wireless AP for Internet only “free Wifi” (you can set easy to use passwords if required).

Sometimes paying that $100 a month for additional Internet line and consumer grade wireless APs to supply “free Wifi” may reduce the much headaches and complexities. It also lower costs as compared to paying $1,000 to $50,000 for Enterprise grade appliances, firewalls, Wireless AP, VLANs, Enterprise grade Internet subscriptions. We just use a AC power timer to switch the “cable modem” off from 8pm and on 7am daily.

1 Spice up