2

I currently manage an environment with IP addressing of 10.10.10.x/23. We have 3 VLANS set up, and I use that term very loosely. The reason I say I use the term loosely is, the 3 VLANS have full access to each other. VLAN10 is our internal network, VLAN20 is are guest Wifi and VLAN30 is our DMZ. The environment has your typical server, workstations, printers plus we have security cameras but no VOIP. We have close to 200 workstations, 29 printers, 20 servers, 40 security cameras.

The guest wifi should just have access to the internet and that's it, not my internal network. Some of the questions I have with planning our VLAN setup is, currently our ASA5505 is "routing" the traffic and has the ACLs for the VLANS, should i keep it this way or should the ACLs be moved to my cisco 3750X switches? Right now my paln was to setup the VLANS as follows:

VLAN      
10      Servers            10.10.10.x/24

20      Workstations       10.10.20.x/24

30      Internal Wifi      10.10.30.x/24

40      Cameras and Server 10.10.40.x/24

100     DMZ                192.168.100.x/24

110     Guest WiFi         192.168.110.x/24

i'm also not sure if should keep the printers on the same VLAN as the workstations, servers or separate them to their own VLAN? if they are in their own VLAN should the printer server be on that VLAN also?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
JoeP
  • 21
  • 1
  • 3

3 Answers3

2

I think you would do well to think about why you might use VLANs to begin with.

It sounds like you have reasons to limit / segment traffic, but I would question if you're really going to do the homework necessary to build ACLs to have fine-grained control of traffic between PCs, servers, and printers. In every case that I've seen that done the admin ends up giving up and just opening all traffic (allow ip any any) between the "server VLAN" and the "workstation VLAN" because they can't get software vendors to disclose what ports / protocols are necessary to make applications work (or because the applications use dynamic ports that aren't handled by protocol handlers in the inter-VLAN router).

The typical trade-off between using a layer 3 switch versus a more router-like device like a Cisco ASA is expressiveness of the ACL system versus routing performance. A layer 3 switch can typically route at wire-speed, however it may not support ACLs with enough expressiveness to do what you need. In some cases, the layer 3 switch ACL system does have the expressiveness, but using those expressive features may cause routing to move through a CPU rather than an ASIC, diminishing performance.

I'd start by building a list of the ACLs I intend to have, then evaluating if they layer 3 switches are capable of handling them and, if they are, keeping the traffic in a "fast path" while doing so. You'll get the highest performance routing in the layer 3 switches, but (particularly with your guest wifi VLAN) the ASA may be a better fit from a rule expressiveness perspective.

Insofar as your printers go: If you're looking to limit access to the printers to only authorized administrators and the servers queuing them then you may want to throw them into a VLAN. Some people are fine with printers being directly accessible by client computers, but other environments (where the printed items are of a sensitive nature, or where billing software needs to arbitrate access to the printers) benefit from isolating the printers and strictly limiting the hosts that can connect to them. You'll have to gauge your needs there. How much accountability do you need w/ respect to auditing print jobs, for example?

Community
  • 1
Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
1

You don't "need" a VLAN just for the printers, but since you are planning your network now and creating the VLANs I would make one. The printer server usually doesn't need to be on the same VLAN as the printers since it doesn't need to speak with them using layer 2 but connects using TCP/IP. So you can keep it in the servers VLAN.

edit: oh, I was missing the other question. I would keep also routing on the ASA, because you can do more fine-tuning on ACLs here than the switches. Considering your VLAN setup I wouldn't also NOT route using the switches.

unlink
  • 690
  • 7
  • 12
0

If your switches have IP routing turned on, then you MUST put ACL's on the switches. If your ASA is connected to your switches with a trunk and is configured with an IP in each VLAN, then you'll also have to apply ACL's there to prevent the ASA from routing.

My recommendation:

  1. Do not use a trunk port with the ASA. Use one interface per network (DMZ, inside, outside, guest internet).
  2. Do the routing on the switches.
  3. Apply ACL's on the switches to prevent routing between the DMZ, internal and guest networks.
  4. Don't use a separate VLAN for printers. Keep them on your workstation VLAN. If you move them to a separate VLAN then moving printers and computers around requires switch changes. I tend to VLAN my networks so that everything inside the server room requires configuring a switch port, but all ports in userland are configured exactly the same to ease user device moves.
longneck
  • 22,793
  • 4
  • 50
  • 84