I understand your "traffic flow" perspective, but I must state that it is
not in alignment with modern data flow. That vast majority of traffic
nowadays seems to be moving toward "Enterprise applications" i.e.
"PeopleSoft", "LotusNotes", "Oracle Financials" located on hosts that serve
multiple applications i.e. "application servers".Therefore, I belong to the
school of thought that VLANs should be laid out with a security and
accounting perspective. I divide my clients into VLANs based on functional
business unit. The underlying assumption is that Finance people generally
have a similar security profile and differ from the security profile of
say, manufacturing staff. The security profile is based on what special
application servers these groups access. For instance, the Finance people
may use Oracle Financials. If the manufacturing people never access Oracle
Financials, then a clever hacker on the manufacturing VLAN, should not be
allowed to connect to a volume share, or the Check printer in the Finance
department. By segmenting these two distinct groups into VLANs, they
acquire different IP subnets and that allows you to either control their
network resource access to other VLANs via "Access Control Lists" on the
router, or at least log out the activity if you choose not to restrict
their connections.
Secondly, the datacenter hosts should be in their own VLAN. A better
solution is to group the hosts into separate VLANs based on risk
assessment. For instance, if you have three or more interfaces on your
Firewall, you should create a Outside DMZ for your web servers, ftp
servers, mail servers, Citrix Servers, etc., and a Inner DMZ for less risky
servers, possibly servers that are accessed through the Internet via a VPN
or Dial-up. Lastly, your financial servers, R&D, servers and Human
Resources servers should be inside the Inside Interface of your Firewall on
a separate Datacenter VLAN.
These are just a few examples of how you can begin to leverage VLANs for
the purpose of protecting your data. Segmentation into functional groups
sometimes include an Executive VLAN so that your can enable priority
queuing to the Internet or other network resources based on the Executives
subnet range. Etc., Etc., Etc. Hope this helps.....most of this is not in
any Cisco textbook because they seem to not to want to impose design
options on Network Engineers, however it is based on my experience with
reviewing "Best Industry Practices".
John Squeo
Technical Specialist
Papa John's Corporation
(502) 261-4035
"Doug
Korell"
cc:
Sent by: Subject: Vlan Design
[7:23928]
nobody@groupst
udy.com
10/23/01
01:41
PM
Please
respond
to
"Doug
Korell"
I have worked with Vlans for another company that used a different Vlan for
every department and then had a Vlan for the servers. This goes along with
most design concepts except that at least 2 or more departments often
shared
a wiring closet. When tech support would plug in PCs, they often would not
call and the PC would end up being put in Vlan 1 or a different
department's
Vlan. Obviously labeling the ports would be helpful but the way things
changed it would never be accurate. Then everytime the PCs had to access a
server, they had to hit the 5500 RSM.
I have heard so many suggestions such as use a different Vlans for servers,
printers, and PCs. I strongly disagree about putting printers in a
different
Vlan because there is no reason for a traffic to hit a router when the PC
and printer are next to each other.
What I am thinking about doing is putting groups of closets in Vlans, use
Vlan capable NICs in shared servers, and put other servers that are
dedicated to departments in their Vlan. For the most part, departments all
go into the same closet.
I am wondering is what logic are other people using for Vlans. I know
traffic flow is a big consideration which I will break up by groups of
closets. I average about 20-40 connections per closet.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=23932&t=23928
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
