VLan question

Hi guys.... I am thinking about segregating our resources with vlans. Do you think it would be wise to put pc's, thin clients and printers on their own vlans? Also, we have 3 sites, one connected via vpn (ASA's) and another by evpl (routers). all different subnets.... can i start "vlanning" at the main site as long as i keep the servers etc on the current default vlan without disrupting access for the other 2 sites?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

MAC_Addy

Just make sure you're using router on a stick and you'll be fine.

tdean

MAC_Addy wrote: »

Just make sure you're using router on a stick and you'll be fine.

Yes, thats how i'll be doing it. And then just add the DHCP pools in windows with a helper ip pointing to it and i'm good?

MAC_Addy

Not too sure about the Windows side of things since I'm not really a Windows person, but in theory, that should work, yes. Or, you could have your DHCP setup via your Cisco router.

tdean

MAC_Addy wrote: »

Not too sure about the Windows side of things since I'm not really a Windows person, but in theory, that should work, yes. Or, you could have your DHCP setup via your Cisco router.

Adtran router

hehe... i would like to do the pools on the router but we have so many static ip's for the SSL vpn, it would be a huge pain i think.

thanks for your help.

tdean

Oh, do you think its a good idea to put them on their own vlans? the pc's, Thin clients and printers?

higherho

tdean wrote: »

Hi guys.... I am thinking about segregating our resources with vlans. Do you think it would be wise to put pc's, thin clients and printers on their own vlans?

Printers should be on their own VLAN. I currently have one VLAN per domain and a VLAN for printers. All my laptops, DHCP server, file server, etc are all in one VLAN. Then my printers are in another and my other domains are in their own vlan too. Now you wouldn't need a DHCP helper address unless you have users in different VLANS. I have 5 VLANS and in 4 of them I use static IP's for the devices in them (since their servers anyways). In the one VLAN I have all my users in and the DHCP server so I do not need a helper address.

and like MAC_Addy said, Router on a stick and you will be fine.

tdean

higherho wrote: »

Printers should be on their own VLAN. I currently have one VLAN per domain and a VLAN for printers. All my laptops, DHCP server, file server, etc are all in one VLAN. Then my printers are in another and my other domains are in their own vlan too. Now you wouldn't need a DHCP helper address unless you have users in different VLANS. I have 5 VLANS and in 4 of them I use static IP's for the devices in them (since their servers anyways). In the one VLAN I have all my users in and the DHCP server so I do not need a helper address.

and like MAC_Addy said, Router on a stick and you will be fine.

So the static vlans you just config a subnet but no dhcp?

Puffy

Shouldn't be a problem. I did a lab setup before, where I had 3 VLANs, one of which housed a Server 2008 DHCP server configured with 3 dhcp scopes. I used ip helper on the sub interfaces for the other 2 VLANs to point to the dhcp server and I was getting the ip leases without a problem.

higherho

tdean wrote: »

So the static vlans you just config a subnet but no dhcp?

If you want to be real secure you would create a User vlan , printer vlan, sever vlan, etc but that goes into VLAN filtering and private vlans which is (from what I was told and researched) CCNP level stuff.

As to your question I'm a little confused. You will want DHCP for your users / workstations. For your servers you should be using static IP's.

Vlan 20 - user vlan
Vlan 30 - printer vlan

go on the port that a user is connected to;

switchport mode access
switchport access vlan 20
switchport port-security mac sticky
switchport port-security violation shutdown

you will need to configure router on a stick (or have some type of routing) so that the vlans could talk to each other.

at least that's how I would do it on the basic level. The IP helper command is used if your DHCP server is on a different subnet than your users, etc. Basically its a relay and "helps" that device contact the DHCP box.

tdean

Great responses guys. Answers my questions exactly. I think i'll start with our wireless network.