6

I finally took time to map my entire shitty network to understand exactly what the guy before me did, and i must admit i'm a little bit surprised even if i'm not a network expert...

Just take a look at That Diagram i made so you can have a better idea of the situation.

I'm planning to reconfigure my network like that.

Do i need to "inform" my router/firewall of the existence of the vlans or is it possible to configure vlans on switches so it totally transparent for my router ? Acting like basic interfaces connected to different physical switches.

Subsidiary questions are :

  • Is this network design ok in regards of best practices and SOP?
  • My VOIP server needs to be accessed trought internet without vpn(for mobile devices), i know it's unsafe, but how could i improve the security without losing this functionnality ?
  • Will linking 2 switches with more than 1 wire boost the available bandwith between them ?

I know my questions are dumb, but i'm totally clueless when it comes to theory...

Thank you in advance.

Thierry Dalleau
  • 61
  • 1
  • 1
  • 4
  • 1
    There's no such a thing as an "L1 switch". Switches work on layer 2, more sophisticated ones also on L3+. If it's an L1 device - ie. a hub - you should replace it by a switch. An unmanaged switch must never be connected in a loop/mesh - it'll cause a bridge loop and broadcast storm, bringing down the network. For redundant loops or link aggregation you require a managed switch and according configuration. – Zac67 Sep 04 '17 at 19:01
  • Not really relevant for this question, but L1 switches do exist: https://en.wikipedia.org/wiki/Optical_switch, they just have a really different function. More relevant: you're asking a LOT of questions, a number of them are very broad and lead to opinion based answers. Please consider rewriting your question. – Teun Vink Sep 05 '17 at 05:22
  • @TeunVink Thank you for your reply. Well i'm searching for some best practices advices i could apply to my case... Maybe could you point me some other sites where i could ask such open questions and submit my query ? Thank you in advance. – Thierry Dalleau Sep 05 '17 at 05:36
  • 1
    Why do you consider the wiring to be a constraint ? Having a single cable to each desk with an IP Phone and then a PC behind the phone has been SOP since the mid-2000s. You just put the phone in a voice VLAN and the PC in an office vlan and you're good to go. Also, you really shouldn't expose your VoIP server to the Internet directly, it's not a security device. That should be left to things like a Session Border Controller. – Jeremy Gibbons Sep 05 '17 at 07:06
  • @JeremyGibbons thank you for your reply. Well it let me with only 100mb connections where i have 1000mb wiring available. You mean my VLAN should be managed by my firewall instead of the switch ? And how would my remote users connect their smartphone client to the voip server if not directly available ? I restricted the access to this server to the only ports used by the voip solution for remote operations. – Thierry Dalleau Sep 05 '17 at 07:17
  • 2
    @ThierryDalleau in most office situations, 100Mbps is more than enough. It may not be intellectually satisfying given that PC & switch support 1G, but that's life :-) Regarding VLANs, your switch must support the different vlans, and then you need your router (or L3 switch) or your firewall to route between them, depending on your security requirements. – Jeremy Gibbons Sep 05 '17 at 16:20
  • 1
    @ThierryDalleau Regarding the VoIP server, there are many solutions that act as a sort of reverse proxy so that external users can connect without exposing the VoIP server itself. For example, for a Cisco CUCM you could use Cisco Expressway for this. – Jeremy Gibbons Sep 05 '17 at 16:23
  • 1
    Ok Thank you very much @JeremyGibbons, i'm using a watchguard device, i'll dig into that. regarding the vlans i think all is becoming more clear to me now, thank u very much. – Thierry Dalleau Sep 05 '17 at 16:30
  • 1
    @ThierryDalleau - Looking at the original design and your proposed changes, the missing items appears to be your ip addressing for the subnets/vlans and the L2/L3 switches models. If your clients devices ip ranges includes rfc1918 addressing or not , that needs to be considered. – user4565 Sep 05 '17 at 18:24
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could post and accept your own answer. – Ron Maupin Dec 31 '20 at 05:21

2 Answers2

2

From a router perspective, what matters are interface. It doesn't change the router behavior if an interface is physical or virtual.

You can have either two cables between the router and the switch, each one in its own VLAN, or a single cable configured as a trunk that carry both VLAN

Both scenario will works, but they are not strictly equivalent.

  • In the first case, if you want to add a third network, you need to have an interface available on the router and on the switch and connect a new cable.

  • In the second case, the single cable is a single point of failure (it's not the only one in the network, but still it is one) and the bandwidth is shared across the 2 VLAN. But it's really easy to add new VLAN.

To get the best of the 2 approach you connect the 2 cables, aggregate them with LACP, set this bond as a trunk and configure QoS. You can further increase the redundancy and bandwidth by adding more link to the bond (most systems allow at least 4 links, 8 is also quite common).

This way you have improved bandwidth and fault tolerance.

Will linking 2 switches with more than 1 wire boost the available bandwidth between them?

Yes, as long as there's several flow. In a bond, a single flow will use only one physical link, and will be limited by the bandwidth of this specific link. But different flow can use different links, thus increasing the overall network bandwidth.
(depending of the algorithm used in the bond, a flow can be defined by source / destination MAC addresses and/or IP addresses and/or even TCP / UDP ports)

Regarding you VOIP server, that should really be a separate question, but you could use VPN on the mobile devices for example.

JFL
  • 19,649
  • 1
  • 32
  • 64
  • 1
    The pc behind a phone speed mentioned in the comments is all dependant on the phone. if it is an up to date phone the pc will get gb speeds. if it is an old phone that only supports 100mb the pc will only get 100mb being passed through. If it can pass gb speeds it may simplify things. – Kendrick Sep 05 '17 at 16:01
  • 1
    @Kendrick, nice to know ! now i need to negotiate with my direction a gigabit poe switch + recent ip phones ! ! :D – Thierry Dalleau Sep 05 '17 at 16:27
0

It's more optimise to configure Vlan on layer3 switch and route tràffic from layer3 switch firewall allowing all Vlan tràffic routed between firewall and layer3 switch .

Firewall is security devices more feasible to operate on security propective like create security policies , controling , restricting traffic , monitor tràffic for IPS & IDS, antivirus . So VLAN creation and configuration , inter-Vlan routing in firewall is not recommended. Same as router also .

Sagar Uragonda
  • 848
  • 1
  • 16
  • 73