Thursday, June 21, 2018

1000 devices, 1000 vlans - need help on client isolation

I've been lurking in here for quite some time, and I have a situation i'd like to hear your input on.

We all know how temporary solutions are the most permanent things in IT. Well, this is what I'm dealing with at the moment.

We have a somewhat unique network, as in the users on it, and how it's being used. I really can't go into too many details on how and for what it's used.

Long story short.

Way back in the day when the network was "small" we needed a network where the devices on it couldn't talk to each other. Someone said "this is what vlans are for".

This resulted in a network with ~10 access switches, that each had up to 10 ports in their own vlan/subnet. Each vlan had a /30 assigned.

The firewall acting as gateway/dhcp server had a sub interface in each vlan, and then access lists accordingly to block inter client communication.

Then suddenly the network grew. But the design didn't change.

We now have around 100 access switches. And 1000 vlans. And a firewall with a sub interface in each vlan.

This all needs to change, but how?

We still have the need for client isolation on a layer2 level, and we'd like to make the dhcp/access list config simpler.

We've thought about using "Port ACL" (cisco term) or "Source Port Filter" (hp term). And then flatten the DHCP scope from 1000x/30 to a single /22.

This would mean all the vlans/dhcp/firewall rules would go away.

Any advice you could give is greatly appreciated.



No comments:

Post a Comment