New Network Design

johnprola3730 · 2017-07-17T12:47:59.000Z

I have been tasked with the job of redesigning our company network. To give a quick background, we went from about 60 people to over 215 in the last 2 years. The current network was designed for a small company and I don’t have much experience with larger networks. I want to make sure it is done right so we have room to grow. We are spread out over 2 buildings (building 1 and building 2, a 3rd may be added soon) which we do not own, we lease the space and are trying to constantly obtain new office space as tenants leave. Our company started on the 4th floor of building 1, we take up the entire floor which consists of about 80 users, office space, server room (main equipment room) and labs. In building 1 we take up most of the 1st floor (25 users, office space), most of the 3rd floor (40 users, labs and office space), and part of the 5th floor (10 users, labs and office space). In building 2, we have an admin area on the first floor with about 20 users and a lab area on the 4^th floor with about 5 users. Some users are remote and some move around.

We currently have 3 networks, 192.168.0.0. 192.168.3.0 and 192.168.20.0. We are very low on IP addresses so I need to come up with a plan. This is what I have in mind but as I mentioned, I want this to be done correctly and be able to grow with the company. I have a Dell SonicWALL NSA 2600 that I plan to run DHCP off of. I have also added a 2^nd one for failover. I plan to add a 16-port core fiber switch and have each “site” (floor) connect directly via fiber connection (we just had this added and fiber is connecting both building 1 and 2). On the SonicWALL, I was thinking of creating several VLANs. It would look something like this:

VLANs (VLAN ID is same as network #)

Static & Management – No DHCP – 192.168.0.0 – VLAN ID 1 – Servers, printers, AP’s, etc.

Wireless gets separate DHCP from AP. APs will have static IP on 192.168.0.0 network

Secure Lab Network - 10.1.10.0 - VLAN ID 100 (this must be completely separate)

Non-Secure Lab Network - 172.16.1.0 – VLAN ID 172

VoIP – 37 – 192.168.37.0 – VLAN ID 37

Building 1

1^st Floor & Basement - 192.168.10.0 – VLAN ID 10

3^rd Floor – 192.168.30.0 – VLAN ID 30

4^th Floor – 192.168.40.0 – VLAN ID 40

5^th Floor – 192.168.50.0 – VLAN ID 50

Building 2

1^st Floor – 192.168.15.0 – VLAN ID 15

4^th Floor – 192.168.45.0 – VLAN ID 45

All switches are Dell X1052P and would be configured for each VLAN to have the necessary VLANs they should communicate with. There are talks about adding a site in another state in the next few years. As I mentioned, the company is growing rapidly and I am looking for some suggestions. Hopefully I am on the right track and won’t need to completely rethink what I have thus far.

joshuamcclure · 2017-07-17T13:25:10.000Z

I did the same thing myself a few years ago. Two things I would note. Using VLAN ID 1 is generally frowned on and is considered a security hole particularly when it is on a common Class C IP range. (Almost everything comes default with this… I had the president of the company somehow get a static IP on his tablet from home and take down a server once when he brought it to work as I was transitioning the network from mom and pop to more enterprise grade). Secondly, I am familiar with Sonicwall NSA 2600 and it sounds like you are putting quite a bit of load on it, it will handle it, but generally on a network that size you run DHCP stuff on a central Windows Server - it’s easier to manage. Most especially if you have several DHCP servers (Sonicwall, AP’s, static, etc) If you have a reason you want to do it that way, you can probably get away with it. However, the bigger a network gets the less you want to have devices doing multiple things and just let devices concentrate on their “main purpose”. Sounds like you are doing firewall, routing, DHCP and potentially VPN with your Sonicwall. Just something to think about. Personally I like what you are doing in adding more VLANs segregating things in general. But on the other hand you are not tied to only using /24 network masks. For some of these VLANs / subnets you might need more than just 254 usable addresses - like Wifi depending on your situation. Sounds like you are making a good plan, and I’m trying to think of any potential weak spots I see to help. Good luck!

johnprola3730 · 2017-07-17T13:46:54.000Z

That is some great advice. Thank you for your opinion. The reason I wanted to keep static devices on VLAN 1 is that everyone is already mapped to servers, printers and other devices. I figured this way the IP’s would not change at all and it may help with a more seamless transition. I may be able to set it to a different VLAN ID and keep that network range. I will also look into getting having a dedicated server for DHCP. From what I read the SonicWALL could handle this and VPN but a dedicated server might be the best option.

liammclachlan · 2017-07-17T14:35:31.000Z

If you’re expectations is that you will continue to expand make sure you aren’t painting yourself into a corner. Excellent advice “focusing” devices on their intended task. It also helps with budgeting, maintenance, and replacement of devices and your network.

You will want to plan for failures too - especially as you start to centralize services (like dhcp, DNS, etc). Think about what will break and how people react from the consequences of that breakage. When a wireless access point that isnt acting as a router as well dies it the impact is minimal. Compartimentalization goes a long way.

Make your naming conventions and structure open ended then make a checklist for expansion. If you ever have to contract something out or hire staff you have instant standards for any work.

vane0326 · 2017-07-17T16:46:15.000Z

How about future proof it with a large address space of 2046 (0/21 Class B Network)?

I think a large network like that - Best Practice - is to have a dedicated DHCP server.

johnprola3730 · 2017-07-17T18:01:07.000Z

When you say to “future proof it with a large address space of 2046 (0/21 Class B Network)” do you mean for each VLAN to have a Class B address? or one large network?

vane0326 · 2017-07-18T11:49:33.000Z

Snowake36:

When you say to “future proof it with a large address space of 2046 (0/21 Class B Network)” do you mean for each VLAN to have a Class B address? or one large network?

Just one large network. I worked with another IT engineer 5 years ago to get this done. I remember there was issues afterwards (I should’ve taken notes). We had a Class C network and we’re running out of IP addresses. It wasn’t in the company budget to spend on updating the switches.

Here’s another similar thread you can read.

Running out of DHCP IP Addresses Networking

Hi All, I have a network which runs on DHCP. Details Below: Range: 192.168.100.x Subnet Mask: 255.255.255.0 I am about to run out of IP Address from my range. I have checked that most devices on the network are valid and required. I have changed my lease days to 1 just to cleanup any unnecessary devices and also removed some devices no longer needed but still only have less then a handful of IP addresses left! My networking knowledge is fair. I know that I could change the range to 10.…