Hi, newbie here. We recently had someone come in and look at our network setup and he suggested we could set up our network a lot better.
Currently we have all our vlans defined on our Mx’s and use layer 3 firewall rules to separate them, he suggested we should have all the vlans on the switches themselves as all traffic is going through the mx through a 1gbps uplink and the switches should be handling local traffic.
Just wondering how you guys are setting up?
@Jamest201 Network design has to incorparate quite a few variables but also ask the simple question which is what are you trying to achieve. Below is some of the questions I could think of just off the top of my head, I am sure others will have more to add
1. How many clients do you have on your network.
2. Do you have VOIP or any other service that requires QOS.
3. Do you have to limit certain parts of the network for various departments.
4. Do you have high traffic devices like CCTV that you need to segregate.
One other thing to think about it the link speed for your backbone, can you get away with 1Gb or do you require 10Gb or higher?
In an ideal world, network design should reflect work practices.
Having become a Cloud-centric organisation, without local servers, we have found that virtually all traffic is LAN to WAN and very little is LAN to LAN.
Fortunately, we had already chosen to implement multiple VLANs (to sort the sheep from the goats) and had ceased allowing catch-all values on access and link ports. So the switch to Cloud-centric was a no-brainer.
We do have a lot of VLANs; our network design/security methodology has become analogous to the Onion, with progressive "skins" of greater security. If everything is legit, its transparent, otherwise it is a quagmire, with its own Room 101. Each ring has its own unique VLAN schema (so there may be 3 Management VLANs - 11, 22, 33) and firewalls between each skin.
It is much more complicated to describe than to implement. One of the benefits is that the goats (Guest WiFi, Multicast IP TV playout, IoT devices, AV kit etc) come nowhere near anything sensitive such as personal and application work stations and is completely unaware of secure LAN-WAN traffic. We do allow HDMI connectivity between secure devices on different layers; we monitor this for vulnerabilities.
Monitoring for vulnerabilities is important, we have detected attempts by "smart" utility metering equipment to access the Internet using Zigbee.
As more organisations adopt the Cloud-centric model, we expect to see more adoption of similar architectures.
I would suggest setting your strategic IS goals (ISSP), and then implementing a network design that simplifies enabling the transformations required to achieve those goals.
Might take a look at this recommendation.
Keep in mind your single point of failure....
If you use inter-vlan routing, it's better to do this on a redundant/stacked "core" switch than a single firewall.
The other way around, if you have single switches and a redundant firewall i would think about putting the routing point there depending of the amount of inter-vlan traffic,