To Vlan or not to Vlan...that is the ?

[qweasdzxcqweasdzxc]

I have about sixty computers on the same subnet and as they are supposed to, they do alot of norml broadcasting throughout the day. One of my users got a virus from file sharing, it got past updated symantec scanners, and it took down my entire network! I called cisco for support and together we dropped in some packet sniffers to check out what was goin on....Afer evaluating the LAN cisco suggested that I implement a vlan in order to keep a situation like this from taking out the entire LAN again.
So I figure this: If I put the computer labs in one vlan, administration in another, and all of the other users in the third vlan, if one of them were to begin broadcasting all kinds of wacky icmp data over the week end again (or something similar) I wouldnt have to worry as much about the entire network being effected (and possibly being offline on monday morning.). Is this the best solution? Can I do this while keeping the current ip address scheme? What other options do I have?

 

[segment]

You can look into running Packetfence if you have *nix based systems... (

http://www.packetfence.org)

which will check machines for up-to-date patches, software, etc and not allow them from joining the network until their antivirus and patches are up to date, or you could just segment them properly. Another nifty idea would be to run snort_inline then have a command kick someone off the network entirely if there are issues.

perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));'

 

[needcoffee]

If you already have gear that can support vlan I would opt for that. You will need a separate network address for each vlan to segment your broadcast traffic. I would probably leave your admin segment as is and setup DHCP ranges for the labs and users.

needcoffee