VLAN question

[rafter109]

To preface my question I would like to clarify that I understand VLANs in concept but have not implemented them in practice. 

 

A client of mine has approx 50 computer systems all on the same VLAN but would like to split them off to limit accidental access to administrative systems by low level employees and WiFi guests. As it stands there is nothing terribly remarkable about the existing network - a Sophos UTM, HP ProCurve Gigabit switches, some Ubiquiti access points, and a shared AIO/Multifunction. I am fairly confident in setting up 4 separate VLANS (Administration, Employee, Guest, and Management) but I am not sure on how to make sure the shared AIO/Multifunction is accessible to both Administrative and Employee users. What is the best practice for handling this with the existing equipment. 

[+BudMan MVC]

So what is going to route between these vlans?  That is where the controls/firewall would be put in that says this network can not talk to this network, or this IP.  But can talk to this IP on this port.

 

I would assume you would do you routing at the UTM?  This would make the most sense for the most control between segments.  If you did the intervlan at your switches, do you have a core switch.  How is the network laid out - how many switches.  Can you draw up this network and they we can work out the best way to split it up into multiple segments.

[rafter109]

Basic network map in link below. I know I will need to set up VLAN trunks between both switches, APs, and the UTM due to the fragmentation of the network. Reworking the network layout to avoid fragmentation is not negotiable due to budget constraints and physical separation of the switches.

 

https://1drv.ms/b/s!AtWZHKQ4fyirolPv6nDrG4J3NroY

[trek]

What model is your procurve non-poe switch? Looks like that is where you would need to do your L3 routing between vlans if you don't want to do it on the UTM. You are correct that you'll need to trunk all vlans through to all both your switches as well as the AP.

[rafter109]

from the perspective of the UTM the first switch in line is an HP 2530-48G, the next switch in line is an HP 2530-24G-PoEP.

[trek]

From the datasheets those are L2 only. Looks like you'll have to do the routing on the UTM.

[+rdlenk Subscriber²]

Will there also be 3 different wireless SSIDs to correspond to these VLANs or were you going to try to segment wireless clients based on their MAC addresses? The printer can be dropped into any of the VLANs or it could have its own with access controlled to it through policy on the UTM.

 

Are you planning on changing the IPs for all of these devices? If they are all in the same VLAN now they are most likely also all in the same IP Subnet. To put these into VLANs you will either need to re-IP everything so that each VLAN has a dedicated subnet (in order for layer 3 routing to take place on the UTM) or you will have to use a layer 2 firewall which I don't think the Sophos UTM can do.

 

To go the Layer 3 route, you would trunk all of the VLANs to the UTM (or used dedicated physical links depending on how many physical interfaces your UTM has) and then create sub-interfaces on the UTM for each VLAN (Sophos calls them Ethernet VLAN interfaces) giving each interface an IP and mask in that VLAN's subnet. This should populate the routing table for you and then you would need to create firewall policies to allow traffic on the required ports depending on what services you want to allow. You may also need some additional NAT rules to get internet access working (unless you have 50 public IPs). In addition, unless everything is statically assigned you will also need to update your DHCP server to include the additional scopes. If you are using the UTM as the DHCP server you can configure multiple virtual DHCP servers on it, one for each VLAN.

 

I don't work much with Sophos hardware/software so I apologize if anything here is misleading or incorrect. I tried to fine some useful links that might help.

[rafter109]

IPs of the Administrator devices are currently in the 192.168.0.0/24 range and most of the clients are dynamically assigned. Employee devices will be dynamically assigned as well in the 192.168.1.0/24 range. The plan for the access points is to VLAN based on SSID with 3 separate SSIDs. Which VLAN should I put the printer in? How would I go about configuring the UTM to route from the other VLAN to the printer without exposing any of the administrator systems to employees or exposing anything but internet to guests?

[rafter109]

Routing on UTM was the plan to begin with. Sorry if I didn't clarify that.

[+BudMan MVC]

So the routing is done at your utm, this is where you would create your firewall rules that allow what traffic you want to where you want it and blocks the other traffic.