Currently have a flat network with:
* Router/Firewall
* L3 Switches
* Hypervisor + AD/File Server in a VM
* App server
* BDR
* 20 PCs
* No WIFI
It's a small network, but due to liability issues we were told to segment to different VLANs and apply secure policies. Planning on this VLAN scheme:
* VLAN1 - Nothing (172.16.1.xxx)
* VLAN10 - Servers (172.16.10.xxx)
- AD Server, File Server
- App Server
- BDR (backs up servers and certain laptops in VLAN20)
* VLAN20 - PCs (172.16.20.xxx)
* VLAN99 - Management (172.16.99.xxx) iDrac / iLo, Switches
Some questions:
1) They want servers to be in a different VLAN. Is that a good idea, to make the AD/File/App Servers separated from workstations? How would the servers & workstations communicate? Can you elaborate on VLAN routing?
2) Same for Management VLAN, if it's separated, then how would we access the configs from a remote workstation? Should the servers/BDR be members of this VLAN too?
3) Any suggestions or changes you recommend? Small IT dept, so prefer simplicity while still satisfying recommended security bets practices.
No comments:
Post a Comment