Currently we have flat network (10.x.x.x) implemented. As staff is increasing (250+) and projects from clients are coming in, we are thinking of introducing VLAN to segregate networks and implement security. Our environment is a mix of Windows and Solaris machines and servers and we use fix IP allocations. Two options come to our focus:
- Buy a L3 switch and implement VLAN. However a L3 switch is expensive.
- Buy software based routing and implement the same. The software is cheap however speed and throughput limitations may occur.
Depends on the existing network size (i.e., how many servers, routers, etc.), expected traffic patterns, and the security requirements between departments, regardless of how many users exist. Moving from a flat network to a subnetted network will provide greater security flexibility. While I don?t recommend scaling upward using hardware, if you already own a couple of spare Cisco routers, an inexpensive solution would be to implement two networks (one network behind each router) and implement security through Access Control Lists (ACLs) and domains.
For performance reasons, install a second network card in heavily used servers so that each card is directly connected to the Ethernet switch behind each router; by doing this you?ll keep local traffic locally and keep unnecessary traffic off your routers. (When you think about it, you are also adding network interface redundancy ? that is, if a network card is faulty, it will only impact users on one network and not both networks.) As for router security, you will want to block NetBIOS (port 139) and SMB (port 445) to prevent users on one network from browsing on the other network, for example. If budget permits and performance is an issue, a layer 3 switch with VLAN properly configured provides for an effective scalable solution, as opposed to a software-based solution. Check out Cisco's Web site for more information on layer 3 switching.