@
@
@Detsle2016-04-25 14:33:33
Computer networks
@Detsle, 2016-04-25 14:33:33

How to make the correct network segmentation?

Good afternoon guys!
There are ideas, but I decided to consult and see what you can offer.
Equipment:
1) Zywall 310
2) Switches
3) SIP phones
4) Booking server
5) General exchanger WD ShareSpace
6) Programmers server
7) About 100 computers
8) Wi-Fi points
Now the following picture:
Zywall -> switches -> and further chaotically on the entire network
I want to put things in order and make the correct segmentation of the network.
What I want to do:
1) Make several subnets
1 network - service. equipment, servers and more
2 network - users on the wire (with static internal IP) - further cut the speed by department
3 network - wi-fi and wireless users
4 network - guest (for guests, only Internet, without network inputs)
Connect the first 3 grids so that you can inside the equipment with users to interact.
2) Cut Zywall 310 - speed on the wire (by departments and statics of all to watch traffic).
3) Kill all ports and open only necessary ones.
Is this the right decision? If not, please advise. If so, what other options could be considered?
And will it unload the grid?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
S
Saboteur, 2016-04-25
@saboteur_kiev

About 100 computers? Only?
ALL in one network, no subnets needed.
You can cut the speed either on specific ports (you can make a list of who is where, or switch users in switch ports so that they go in a row across departments, and it's easier).
Or restrict by IP addresses on the router. Distribute static IPs to everyone (simply several pools are configured in DHCP, reservations are made for poppy addresses, you can allocate a separate pool for wifi and for guest users, and kill access to the office for them.
That's the only place where, in principle, it would make sense to make a separate subnet - for guest connections, if they only need the Internet, and do not need any resources such as shared drives, printers, etc. But again, it depends on your requirements and the number of clients.

C
CityCat4, 2016-04-25
@CityCat4

Normal solution. Servers, routers, switches, management interfaces - to be taken out to a separate subnet so that "strangers do not go here." wifi, due to its difficult to control - separately, guest entrances - generally separate from everything.
The grid, however, is not a fact that it will unload, on the contrary, it can load more, but it will significantly increase security. User - user, guest - guest ...

A
Alexey Cheremisin, 2016-04-26
@leahch

Well, I would start with vlans. According to Wealan: accountants, programmers, managers, equipment. Separate guest wlan for wifi. All Wealans will merge into the central switch, and are routed there. On the switches, gvrp and dhcp-snooping are configured, with access policies on the central one - which weed goes where.
On Wi-Fi points, two networks rise, guest and work (it is also possible for programmers with accountants to the heap).
On the router, it is configured to which wlan which band is available, in addition, you can select a DMZ zone for access from the Internet.
Villans are good! Especially if programmers like to spoil multicast (then raise igmp-snooping).
Well, for the paranoid, there is a radius server with 802.1x authorization and a guest wealan on switches. It will be very enterprising :-)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question